OS X Vulnerable to SSL Bug Patched in iOS 7.0.6 Update

[noil]

Can someone explain what is wrong with what happens after the second goto? I am new to programming, but I understand that after the "if" statement, pass or fail, the next thing that will happen is automatic failure.

The next part is what I'm trying to understand. It said something failed, so in the fail goto, it freed the buffers at the locations. So what was it doing after the fail state that made this bad? Wouldn't it just not continue with what it was supposed to do after failing and do some type of error out functionality?

Also, what does this patch mean for those who mainly use their iOS devices and Apple computers at home. Do we need to worry about it since we don't want to update to iOS 7 and Apple has made it clear that it's not possible to get 6.1.6 unless you have an iPod Touch 4G or less.

 

[simonmet]

I can't believe how any developer working on such an important module of the system can act this stupid and how this code could even pass the review. wherever software is developed these days, every change to the code is carefully reviewed by another developer using a specialized review software before allowing it to find it's way into the final code.

For those who'd like to know how this bug was introduced:

if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
  goto fail;
  goto fail;
if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
  goto fail;

Source: http://opensource.apple.com/source/Security/Security-55471/libsecurity_ssl/lib/sslKeyExchange.c

adding the second "goto fail;" was more or less the only thing changed in that file, leading to "fail" no matter what the result of the if-statement is. for those who don't know about programming: this is a totally obvious mistake every beginner in programmer and especially the reviewer should be aware of. when reviewing changes to the code, you usually see both files side by side, in this case pointing out: "THIS IS THE ONLY LINE THAT CHANGED. PLEASE CHECK IT" and the reviewer should think something like "WTF IS THIS CRAP?".

This is a real shame. I wonder how developer and reviewer explained this to their line managers.

Which leads me to believe the vulnerability is deliberate.

Clock is ticking Apple!! Surely it shouldn't take more than 24-48 hours?

 

[stokeyite]

sloppy

Others will have already said this, but I'm absolutely shocked at how sloppy the coding underlying this bug is.

Apple - time to look at your quality assurance processes?! - if this was a governmental organisation that made such a mistake auditors would be crawling all over the place and public reports made. I doubt Apple will do that but perhaps a bit more openness and accountability on Apple's part might raise standards?

----------

Also, what does this patch mean for those who mainly use their iOS devices and Apple computers at home. Do we need to worry about it since we don't want to update to iOS 7 and Apple has made it clear that it's not possible to get 6.1.6 unless you have an iPod Touch 4G or less.

I was in a similar position - not wanting to upgrade to iOS 7 due to reports of poor battery life with the iPhone 5. I've upgraded with this as I figure better safe than sorry and iOS 7.1 which is supposed to improve battery life is due out in March.

 

[ghostlines]

Why's the patch taking this long

I aint no pro, but if removing/commenting just one line solves this issue why wouldn't Apple release a patch sooner?
Very strange. This should keep getting blown up in the media.
Great company but I can't understand the reasoning of prioritising iOS over OS X if the fix is 'so simple'.

It's like they have to introduce another backdoor before closing this one on
Just kidding, but it makes you wonder.

 

[R4z3r]

Can someone explain what is wrong with what happens after the second goto? I am new to programming, but I understand that after the "if" statement, pass or fail, the next thing that will happen is automatic failure.

The next part is what I'm trying to understand. It said something failed, so in the fail goto, it freed the buffers at the locations. So what was it doing after the fail state that made this bad? Wouldn't it just not continue with what it was supposed to do after failing and do some type of error out functionality?

Also, what does this patch mean for those who mainly use their iOS devices and Apple computers at home. Do we need to worry about it since we don't want to update to iOS 7 and Apple has made it clear that it's not possible to get 6.1.6 unless you have an iPod Touch 4G or less.

Read this article to really understand it:
http://gizmodo.com/why-apples-huge-security-flaw-is-so-scary-1529041062

They explain why this bug is a very big deal.

 

[Rigby]

Which leads me to believe the vulnerability is deliberate.

Seems unlikely to me. Too obvious and easy to exploit. Agencies like the NSA would probably introduce subtle cryptographic weaknesses in temp key generation or similar.

What amazes me most about this bug is that Apple apparently turns off or ignores compiler warnings, and doesn't run a lint-type code analyzer tool on its code. Both would have produced an "unreachable code" warning.

 

[ColdShadow]

bug is peresent in Safari,both Chrome and Firefox came out clean.
however Safari is my main browser and I rarely if ever use Chrome and Firefox

 

[mhdena]

I rarely use Safari, prefer Firefox.

I never go on any secure sites on an open network.

I would go on sites like this (mr) etc., but that's about it in an open network.
'
So I guess I'm safe

 

[C DM]

I aint no pro, but if removing/commenting just one line solves this issue why wouldn't Apple release a patch sooner?
Very strange. This should keep getting blown up in the media.
Great company but I can't understand the reasoning of prioritising iOS over OS X if the fix is 'so simple'.

It's like they have to introduce another backdoor before closing this one on
Just kidding, but it makes you wonder.

Because they didn't know about it earlier or didn't have the fix all tested and ready to be rolled out?

 

[manu chao]

I'll update if/when they're fixed, not at version 10.9.0. I actually tried it for a few weeks on my computer since I updated right when it came out… later, I downgraded. It's also got other bugs that happen to some people (aka me and my family) like the random logout, the huge CPU usage, the corrupted installation, and the Dock randomly switching screens when controlling with VNC. Why jump the gun on updating when you can stick with your stable OS and wait a bit?

Why then give the impression that Mavericks is clearly more buggy than previous OS version and better should be skipped completely? Whether you update right away or after 10.x.2 is released is a personal preference (what risks you are willing to take, what small annoyances you are willing to tolerate for some new features you like is a personal preference). But not updating at all just shows an unwillingness to accept any change (ie, to swap one set of small annoyances for another set of small annoyances).

Even then, not sure if it's worth updating unless they fix a serious problem only in 10.9 since the OS overall seems to be slower on every computer I've tried. From what I've experienced, they don't seem to have fixed anything but QuickTime Player's screen recording capability. […] Definitely no performance improvements.

And the fact that you believe your own perception on this just tells me enough about you, that I certainly won't consider you an objective observer. You seem to let emotions present you a very distorted version of reality. But if it makes you happy to be cynical and dismissive of the work and efforts of others, who am I too to tell you what is better for you.

 

[lulumink]

I still have ios 6 on my iPad and I don't want to upgrade to ios 7 just because of this security issue! This basically forces every one to upgrade to ios 7. so annoying!!!

 

[allanfries]

The cellular network is vulnerable as well, but it's more complicated to do than setting up a "FREE WIFI" network in a public place. Google "rogue cell tower."

In the US, you're unlikely to encounter one of those but know that the NSA, who already spy on cell network traffic, now have an even easier way to see all of the contents of that traffic.

Wow! One just can't win. I'm in Canada, so hopefully things are a little more secure here? I updated to 7.0.6 on my 5S and iPad mini, release day morning.
Hope I'm good?

 

[mw360]

I still have ios 6 on my iPad and I don't want to upgrade to ios 7 just because of this security issue! This basically forces every one to upgrade to ios 7. so annoying!!!

Woah, don't us the word 'force' like that. It upsets some people around here.

But yeah, you actually have no choice now. I now have to update my wife's iPhone from 6. She's not going to be happy.

 

[SusanK]

I still have ios 6 on my iPad and I don't want to upgrade to ios 7 just because of this security issue! This basically forces every one to upgrade to ios 7. so annoying!!!

http://apple.com/feedback/ipad.html

Sending feedback to Apple may or may not help. I did, nothing to lose.

 

[manu chao]

How convenient. Apple will force everyone with a device capable of installing iOS7 to install it one way or another.... and then "brag" about the adoption of iOS 7.

Yeah, and what is wrong about that? Is it a human right to get security updates for a system indefinitely without feature changes? Political commentators sometimes joke that the very first article of any constitution seems to be the right of nothing ever changing. You certainly seem to support that sentiment.

----------

Woah, don't us the word 'force' like that. It upsets some people around here.

But yeah, you actually have no choice now. I now have to update my wife's iPhone from 6. She's not going to be happy.

That's life, sometimes you have to choose between two options that you both don't like. If you get your knickers into a twist already about this, life must be pretty tough.

 

[TalulahRose]

Do I need to update if I'm running iOS 6.1.3 on an iPhone 4?

Does this security issue only affect iOS 7 or does it affect previous iOS on iPhones? I'm running iOS 6.1.3 on an iPhone 4 and would prefer not to update to iOS 7 if at all possible (can't stand the new calendar and other "upgrades").

 

[sracer]

Yeah, and what is wrong about that? Is it a human right to get security updates for a system indefinitely without feature changes? Political commentators sometimes joke that the very first article of any constitution seems to be the right of nothing ever changing. You certainly seem to support that sentiment.

No need to go all drama queen on us. Your characterization of "updates for a system indefinitely" for iOS 6.1.3 that was released less than a year ago hardly qualifies as "indefinitely"... a little common sense and less emotional attachment can go a long way.

Some people like to actually think about when and why they would update their devices others prefer to allow Apple to do their thinking for them. You certainly seem to support that latter sentiment.

 

[Rigby]

I rarely use Safari, prefer Firefox.

I never go on any secure sites on an open network.

I would go on sites like this (mr) etc., but that's about it in an open network.
'
So I guess I'm safe

Do you have iCloud activated? Automatic software update check? Do you use Apple Mail, Messenger, Facetime etc? Then you are not safe.

 

[mabaker]

10.7 seems secure from this particular bug.

 

[mw360]

Yeah, and what is wrong about that? Is it a human right to get security updates for a system indefinitely without feature changes? Political commentators sometimes joke that the very first article of any constitution seems to be the right of nothing ever changing. You certainly seem to support that sentiment.

----------



That's life, sometimes you have to choose between two options that you both don't like. If you get your knickers into a twist already about this, life must be pretty tough.

Hey thanks for proving me right.

 

[gotluck]

Patch is out in cydia as well

6.0-7.1betas

 

[synp]

Can someone explain what is wrong with what happens after the second goto? I am new to programming, but I understand that after the "if" statement, pass or fail, the next thing that will happen is automatic failure.

The next thing that happens is returning 'err', which now has a success value, so the entire function (that verifies the server signature) is deemed to have succeeded.

----------

I aint no pro, but if removing/commenting just one line solves this issue why wouldn't Apple release a patch sooner?
Very strange. This should keep getting blown up in the media.
Great company but I can't understand the reasoning of prioritising iOS over OS X if the fix is 'so simple'.

I am a pro, and there is no good excuse for it. My guess is that with a large company like that, there is a procedure that needs to be followed, and you can't release anything, even a security hotfix without QA signing off on it, and that it takes longer for the QA cycle on Mac OS than iOS.

That iOS has priority over OS X makes sense - there are way more customers on the former than the latter by now.

 

[mhdena]

Do you have iCloud activated? Automatic software update check? Do you use Apple Mail, Messenger, Facetime etc? Then you are not safe.

None of these are activated.

Safe

 

[C DM]

Does this security issue only affect iOS 7 or does it affect previous iOS on iPhones? I'm running iOS 6.1.3 on an iPhone 4 and would prefer not to update to iOS 7 if at all possible (can't stand the new calendar and other "upgrades").

Yes iOS 6 is affected as well.

----------

Yeah, and what is wrong about that? Is it a human right to get security updates for a system indefinitely without feature changes? Political commentators sometimes joke that the very first article of any constitution seems to be the right of nothing ever changing. You certainly seem to support that sentiment.

----------



That's life, sometimes you have to choose between two options that you both don't like. If you get your knickers into a twist already about this, life must be pretty tough.

Clearly they released and iOS 6 update too so it wouldn't be out of line to allow those on iOS 6 still to be able to get it without having to upgrade to iOS 7.

 

[lulumink]

Woah, don't us the word 'force' like that. It upsets some people around here.

But yeah, you actually have no choice now. I now have to update my wife's iPhone from 6. She's not going to be happy.

True, but it's an indirect force. It leaves the user with a tough situation.
Either upgrade or live with the security flaw. None of them is what the ios 6 wanted.