New in OS X: Get MacRumors Push Notifications on your Mac

Resubscribe Now Close

Apple Planning Fix for OS X SSL Bug as New Research Reveals iMessage, Other Apps Affected

Sunday February 23, 2014 6:18 pm PST by Richard Padilla
Apple has confirmed that it will issue a software update "very soon" to patch the security flaw found in OS X that allows attackers to capture or modify data protected by the SSL/TLS protocols in Safari, reports Reuters. The vulnerability of OS X to the bug was detailed by security firm CrowdStrike and a Google engineer last Friday, and came right after Apple released iOS 7.0.6 to fix the SSL-related issues on iOS.

However, the security flaw, which has been termed "GoToFail" by security specialists due to the improperly used "goto" command that triggers it, may be affecting more than just Safari. Independent privacy researcher Ashkan Soltani has pointed out on his Twitter (via Forbes) that Apple's vulnerable SSL library is also used by apps including FaceTime, iMessage, Twitter, Calendar, Keynote, Mail, iBooks, Software Update, and more.

gotofail_list_of_apps
A list of apps deemed vulnerable to the SSL bug found in OS X and iOS by security researcher Ashkan Soltani

Soltani does point out that apps such as iMessage and FaceTime have addded security measures that weaken the effects of the security flaw, but also added that the initial iCloud login used to authenticate such apps may also be compromised. The researcher states that other parts of the protocol such as the handshake between a service and a device are vulnerable to an attack as well, and will need to be secured by Apple.

Currently, users can check whether or not their computers are affected by the vulnerability by visiting gotofail.com in Safari. As users wait for a fix to the flaw, CrowdStrike recommends avoiding untrusted and unsecured WiFi networks while traveling. The site also recommends that users update to iOS 7.0.6 if they have not yet installed it on their iOS devices.

Tags: forbes.com, reuters.com
[ 147 comments ]


Top Rated Comments

(View all)

Avatar
yjchua95
66 months ago
I can imagine an NSA techie slamming his head into a wall while saying "*******! They found the loophole I inserted!"
Rating: 21 Votes
Avatar
mathcolo
66 months ago

i hope this is a separate security release, and not only available in 10.9.2.


And it better come tomorrow :mad:
Rating: 12 Votes
Avatar
MacMan988
66 months ago
No security.

Great work, Apple!
Rating: 12 Votes
Avatar
SantaFeNM
66 months ago
Very soon.....

My definition of "very soon," and Apple's definition of "very soon," are very different. :(
Rating: 11 Votes
Avatar
mw360
66 months ago
So are Apple going to block all these vulnerable apps from running until a fix is available? Or is that kind of calling-out just reserved for Flash.
Rating: 7 Votes
Avatar
Sky Blue
66 months ago
i hope this is a separate security release, and not only available in 10.9.2.
Rating: 6 Votes
Avatar
SantaFeNM
66 months ago

That wouldn't be very soon that would be just at the same time, which might not have been practical for OS X at that moment while it was more necessary for iOS given it's much wider exposure and use in more places.


Perhaps I'm different than most users of portable electronics, but my most important private/sensitive/financial data is on my portable laptop, not an iOS device. I'd much rather have my iOS device hacked into than my laptop.

I would think that most people do their taxes and financial management on a OSX machine rather than an iOS device....plus have a lot of other sensitive data on an OSX machine due to storage capacity.

But whatever. Heck of a job, Apple. Handled perfectly. Bravo! :rolleyes:
Rating: 5 Votes
Avatar
Parise
66 months ago

I think the issue was these apps all use the same SSL certs and now that is all fixed.

A serious question. Is the true threat as serious as some are making it? Wouldn't the "evil-doer" need to be on the same wifi network?


When you have a cryptology expert say that it's, "as bad as you could imagine, that's all I can say." Yes it's serious.
Rating: 3 Votes
Avatar
Parise
66 months ago

I totally agree they knew and no it would not have stopped 911. I hate politics so I'm not even gonna argue about it, my point was spying is gonna happen across all governments it's reality. I don't do anything out of the ordinary so I don't care go ahead spy on me.


I'm not doing anything wrong when I'm taking a crap, but I prefer to do it with the door closed.

----------

Sure. Ok. But guess what? There is an easy work around. Don't go on any unsecure public network for the time being.

In all things there is potential risk and then probable/likely risk.

Say there is a thunderstorm outside right now. There is potential that I could get struck by lightning. (Risk associated with current conditions). But the fact that I am indoors, not near any windows? I have taken precautions to minimize the probability/likelihood of the risk.

In other words, the risk has been identified. Until the risk is removed, we need to take accountability for ourselves and minimize our risk potential. And Apple should be held accountable. I believe they are acting responsibly. I think a fix will be out this week. I do not think they will wait until 10.9.2 is ready for release. If they don't meet these times? There should be an uproar.


The amount of you that go out of your way to defend this simply due to your love for Apple is hilarious. Yeah, let me change my life completely because they screwed up.
Rating: 3 Votes
Avatar
oliversl
66 months ago
Well, since iMessage is affected and all what Apple said about iMessage security, then is all BS.

Apple lost almost all respect regarding security, where is the d patch for OSX?
Rating: 3 Votes

[ Read All Comments ]