TMCnet Feature Free eNews Subscription
April 01, 2014

Apple's 'GoToFail' Security Flaw Leaves High Concerns

By Wayne Adam, Contributing Writer

Shock waves are running through Apple’s (News - Alert) security system – as well as through its bewildered customers – due to yet another security flaw which has been dubbed “Gotofail” by the security community. It’s all being blamed on a single improperly used “goto” command in Apple’s code that triggered it.



It started in late February of this year when Apple's SSL bug first reared its head and mysterious, urgent updates began pouring out to iOS devices. From there, the news just got worse. It wasn't just an iOS bug, but a problem in Apple's Secure Transport platform, present in OS X 10.9 for desktop and reaching back to iOS 6 on mobile. Although company reps say they are aware of the issue and "already have a software fix that will be released very soon." In a quote, Johns Hopkins cryptographer Matthew Green tweeted about the vulnerability, "It's seriously exploitable and not yet under control." So how bad is it, really?

Though a fix has been issued for mobile devices, Apple still has a very big problem since they don’t know how many devices have received the update, although iOS users tend to update quickly — but beyond mobile, desktops running Mavericks are still completely exposed and waiting for an update. The core of the exploit targets your SSL connection, the encryption behind the little padlock in your browser window you see when visiting webmail or banking sites. The browser knows you’re really talking to the bank because it has verified the site’s SSL certificate, a kind of proof of identity. But the failure in Apple’s code means Secure Transport isn’t checking the certificates properly, and anyone who wanted could masquerade as your banking site, your email, or worse.

To make concerns even higher, researcher Ashkan Soltani says the vulnerability extended to every application built on Apple's SSL library, including Apple’s email program Mail; scheduling app Calendar; and even its official Twitter (News - Alert) desktop client. Further, Soltani believes that the iMessage instant messaging application, the initial login at Apple’s me.com website, may also be compromised, even if the messages themselves remain encrypted, and that similar problems may exist for Facetime. “There are going to be parts of the protocol like the initial ‘handshake’ that rely on TLS, and those will be vulnerable to man-in-the-middle attacks,” Soltani stated.

Apple did fix the “gotofail” bug by releasing system software update for OsX Mavericks and was highly criticized by security experts at the company's delays, leaving millions of users exposed to potential eavesdropping or account hijacking. Ryan Lackey, a longtime Apple user who founded CryptoSeal, stated on Twitter that: "Whoever at Apple decided to wait 4+ days for 10.9.2 to patch the OSX vulnerability needs to no longer be in that position."

In response, Apple issued a terse note acknowledging that "an attacker" could "capture or modify data" transferred with Safari, Mail, iCloud and other Apple-created applications even though the communication streams were supposed to be securely encrypted.

In conclusion, Apple is not the first company to be hacked, but the delays and initial response and conduct of this epic security breach will remain a high concern for Apple and its customers for a long time. 


Edited by Rory J. Thompson
» More TMCnet Feature Articles
Get stories like this delivered straight to your inbox. [Free eNews Subscription]
SHARE THIS ARTICLE

LATEST TMCNET ARTICLES

» More TMCnet Feature Articles