Apple Planning Fix for OS X SSL Bug as New Research Reveals iMessage, Other Apps Affected

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Feb 23, 2014.

  1. macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    Apple has confirmed that it will issue a software update "very soon" to patch the security flaw found in OS X that allows attackers to capture or modify data protected by the SSL/TLS protocols in Safari, reports Reuters. The vulnerability of OS X to the bug was detailed by security firm CrowdStrike and a Google engineer last Friday, and came right after Apple released iOS 7.0.6 to fix the SSL-related issues on iOS.

    However, the security flaw, which has been termed "GoToFail" by security specialists due to the improperly used "goto" command that triggers it, may be affecting more than just Safari. Independent privacy researcher Ashkan Soltani has pointed out on his Twitter (via Forbes) that Apple's vulnerable SSL library is also used by apps including FaceTime, iMessage, Twitter, Calendar, Keynote, Mail, iBooks, Software Update, and more.

    [​IMG]
    A list of apps deemed vulnerable to the SSL bug found in OS X and iOS by security researcher Ashkan Soltani
    Soltani does point out that apps such as iMessage and FaceTime have addded security measures that weaken the effects of the security flaw, but also added that the initial iCloud login used to authenticate such apps may also be compromised. The researcher states that other parts of the protocol such as the handshake between a service and a device are vulnerable to an attack as well, and will need to be secured by Apple.

    Currently, users can check whether or not their computers are affected by the vulnerability by visiting gotofail.com in Safari. As users wait for a fix to the flaw, CrowdStrike recommends avoiding untrusted and unsecured WiFi networks while traveling. The site also recommends that users update to iOS 7.0.6 if they have not yet installed it on their iOS devices.

    Article Link: Apple Planning Fix for OS X SSL Bug as New Research Reveals iMessage, Other Apps Affected
     
  2. macrumors regular

    joshwenke

    Joined:
    Mar 26, 2011
    Location:
    San Jose, CA
    #2
    At least they're fixing it! Look on the bright side :p
     
  3. Guest

    Sky Blue

    Joined:
    Jan 8, 2005
    #3
    i hope this is a separate security release, and not only available in 10.9.2.
     
  4. macrumors 604

    Joined:
    Apr 23, 2011
    Location:
    GVA, KUL, MEL (current), ZQN
    #4
    I can imagine an NSA techie slamming his head into a wall while saying "*******! They found the loophole I inserted!"
     
  5. macrumors G5

    Rogifan

    Joined:
    Nov 14, 2011
    #5
    So did the software release on Friday fix everything or just Safari?
     
  6. macrumors 6502a

    mathcolo

    Joined:
    Sep 14, 2008
    Location:
    Massachusetts
    #6
    And it better come tomorrow :mad:
     
  7. macrumors 6502a

    MacMan988

    Joined:
    Jul 7, 2012
    #7
    No security.

    Great work, Apple!
     
  8. macrumors 601

    gotluck

    Joined:
    Dec 8, 2011
    Location:
    East Central Florida
    #8
    I believe 7.0.6 fixed all issues for ios related to the ssl bug
     
  9. macrumors 65816

    furi0usbee

    Joined:
    Jul 11, 2008
    #9
    If Apple (and all companies) don't work with independent, third party security firms, this is one reason why they should. Increasingly we are putting our most private information in the cloud and transmitting it daily. Apple needs to step up and have their systems/software tested/hacked by firms which they hire so these issues can be found out before mass release. Some of the stuff that has gotten by Apple in the past was pretty crazy how it wasn't caught. Some stuff has little impact in day to day use. This one is big however.
     
  10. macrumors G5

    Rogifan

    Joined:
    Nov 14, 2011
    #10
    Thanks. Mods, perhaps the article should be updated to make that clear.
     
  11. macrumors 65816

    telecomm

    Joined:
    Nov 30, 2003
    Location:
    Rome
    #11
    "GoToFail" :D
     
  12. macrumors P6

    Joined:
    Oct 17, 2011
    #12
    Hopefully along with OS X they'll release an update for iOS 7.1 beta and I guess OS X 10.9.2 beta as well to get them in line with this rather bad and important security fix.
     
  13. macrumors newbie

    SantaFeNM

    Joined:
    Oct 13, 2012
    Location:
    Santa Fe, NM
    #13
    Very soon.....

    My definition of "very soon," and Apple's definition of "very soon," are very different. :(
     
  14. macrumors P6

    Joined:
    Oct 17, 2011
    #14
    What would be your definition of very soon given that the news of this came out mid-day Friday or so?
     
  15. macrumors regular

    AstronomyiPhone

    Joined:
    Jun 9, 2013
    Location:
    Maryland
    #15
    GoToFail.com actually exists.
    Nice.
    ...
    Aside from that, why does there need to be 'new research' to confirm that other applications are affected? The bug is a part of OS X's SSL verification system, so of course it is going to affect other applications that use Apple's web services...Forbes ad revenue...
     
  16. macrumors newbie

    Joined:
    Jul 14, 2013
    #16
    I wonder if *very soon* has been worked on over the weekend?
     
  17. macrumors 6502

    starbird

    Joined:
    Mar 2, 2010
    #17
    I think the issue was these apps all use the same SSL certs and now that is all fixed.

    A serious question. Is the true threat as serious as some are making it? Wouldn't the "evil-doer" need to be on the same wifi network?
     
  18. macrumors 601

    gotluck

    Joined:
    Dec 8, 2011
    Location:
    East Central Florida
    #18
    There's a fix on cydia for jailbreakers on ios 6-7.1b3 :)
     
  19. macrumors regular

    AstronomyiPhone

    Joined:
    Jun 9, 2013
    Location:
    Maryland
    #19
    Yes, but I think this article does a good job of explaining why that's such an issue...
     
  20. macrumors newbie

    SantaFeNM

    Joined:
    Oct 13, 2012
    Location:
    Santa Fe, NM
    #20
    In line with the release of the iOS update. That would be "very soon".

    Apple has done a poor job of getting the word out about this vulnerability and what their customers should have been, and should be doing while waiting for the patch.

    I've notified a dozen or so people I know that use iOS devices or Macs, and none of them knew about the bug, let alone that they should be avoiding public wifi. Apple could have communicated with their customers much better on this.
     
  21. macrumors G5

    Rogifan

    Joined:
    Nov 14, 2011
    #21
    More page views for MR. ;)
     
  22. macrumors G3

    charlituna

    Joined:
    Jun 11, 2008
    Location:
    Los Angeles, CA
    #22
    We may have an answer to that tomorrow.

    What I find interesting is that the first mentions of this huge failure come AFTER Apple released the fix. Where are the tales of the actual attacks, where are the tales going on for weeks and months about how some security expert find this bug without being told to go look at the SSL coding and Apple did nothing for ages
     
  23. macrumors 603

    Joined:
    Mar 21, 2011
    Location:
    Australia, Perth
    #23
    What a surprise...

    Only a day later AFTER iOS update with the SAME problem...

    Most apple people will tell me "It's just a coincidence.." that they waited this long in the first place...

    Obviously, Apple doesn't care about security..

    They think they do, otherwise this SSL issue would have been right at the top of the list.... against all other "features" that SHOULD come after security, not before or in-between.

    I would have fixed this the moment i heard about it...

    What else can go wrong ?

    With Apple, anything goes :) .. Next up: Macs are not as secure as Apple thought.
     
  24. macrumors P6

    Joined:
    Oct 17, 2011
    #24
    That's certainly good. Doesn't help much for those who are running the latest iOS 7.1 beta (even not on their main devices) or running iOS 6 on iPhone 4 or 4S or 5 and don't want to go to iOS 7 or jailbreak.
     
  25. macrumors 603

    ArtOfWarfare

    Joined:
    Nov 26, 2007
    #25
    I'm a little interested how they know that it's goto and not some thing else… does goto actually have a one-to-one mapping with something in x86? (I guess it would be jump? But there's plenty of other things that would use jump too, I would think? Function calls would have jump-and-link, while and for would have some kind of conditional jumps… is goto really the only thing that translates directly to jump? I'm surprised Apple doesn't have a static analyzer that automatically rejects code using a goto…)
     

Share This Page