OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Apple’s “gotofail” SSL bug

Published February 24th, 2014 at 12:49 PM EST , modified February 24th, 2014 at 12:49 PM EST

On Friday, Apple released a security update for iOS 6 and 7 that has caused a quite a stir in the security community. The update fixes a vulnerability in SSL – the technology that is used to encrypt data over many secure network connections – that could allow an attacker to intercept and access that data. This is a very serious matter, and iOS should be updated immediately… but only while on a secured network! Do not update while on an open wifi network!

SSL is technology that allows data to be encrypted between a client and server. It is used by many things, such as secure web sites, connections between Mail and a secure mail server, etc. For devices that have not been patched to fix this vulnerability, it would be possible for a hacker on the same network to perform a “man-in-the-middle” attack and gain full access to any encrypted data. This could include login credentials, credit card numbers, banking information and anything else being transmitted.

gotofail code

The “gotofail” bug

The technical details are a bit embarrassing for Apple, I have to say. The bug can be seen clear as day in open-source code available on an Apple website, as shown at right. In a function that validates the credentials while establishing an SSL connection, a single line is duplicated. The code shown here is meant to do multiple checks, and if any of them fails, code execution is meant to jump (“goto”) to a specific point in the code (bearing the label “fail”, meaning that’s the code that should be executed should any part of the function fail). Unfortunately, because one of the “goto fail” lines was duplicated, that means the second one is executed every time, jumping over an important final check and going straight to the “fail” code. But since the error code has not been set, the fail code doesn’t really do anything much differently than if the function were to succeed… thus, invalid credentials would validate as easily as valid ones.

The Bad News

Unfortunately, Mac OS X 10.9 (aka Mavericks) is also affected. However,Β there’s no fix for that yet! This means that all users who have upgraded to Mavericks are vulnerable in many different apps – Safari, Mail, Calendar, etc. Even software updates use the same SSL system, and this could mean that an attacker could craft a malicious fake update and push it through a supposedly secure connection. There are no reports of this happening, and there would still be some technical hurdles to jump over even with the vulnerability, but this is still very serious.

Making matters worse, Apple has done something very, very bad. Because the same code is used by Mac OS X, by patching the vulnerability in iOS only, they created a 0-day vulnerability in Mac OS X! In other words, beginning on Friday, working backwards from the information made available about the iOS vulnerability, hackers had what they needed to figure out how to attack this vulnerability in Mac OS X. (In fact, many exploits would be able to affect either iOS or Mac OS interchangeably, since they target sessions with secure web sites and not the devices themselves.)

According to multiple sources, Mac OS X 10.9.2 is very close to being released. I’d be surprised if it’s not out by later on today sometime, given this issue. But even if that does happen, it’s really inexcusable that Apple patched one platform on Friday, then left hackers with free rein to attack their other platform all weekend. These patches should have been released concurrently, even if that meant holding off on patching iOS for a few days.

The Good News

Obviously, none of this is good. However, it’s fairly easy to avoid problems by simply following some of the same advice security experts have been giving for years… specifically, don’t do anything sensitive on an open wifi network, where anyone nearby could be intercepting your network transactions. Even though communications with SSL-protected sites shouldn’t be able to be decrypted, even on an insecure network, there has always been the possibility of a flaw with a specific site that would allow an attacker access to an online account despite SSL. Thus, experts have always warned against such things. This is simply an SSL vulnerability on a larger scale (the OS rather than a specific site). One thing that can keep you safer on insecure networks would be use of a secureΒ VPN.

In addition, it’s been fixed for iOS. So if you have an iPad, iPhone or iPod touch, and you’re using iOS 6 or 7, just install the update appropriate for that system. Boom, done. You’re safe again.

With regard to Mac OS X, it’s important to understand that there has been a lot of speculation about malware being installed via the software update mechanism. Though this would technically be made a bit easier through this vulnerability, it still wouldn’t be easy, and there have been no verifiable reports of such a thing actually happening. It would be wise not to install any software updates while on an insecure network, but that has always been the case. Just be cautious on insecure wifi networks. Of course, since there are some services that may use SSL connections in the background (to sync your iCloud calendars, for example), it would be wise to stay off insecure wifi networks completely until this problem is cleared up, and to install Mac OS X 10.9.2 as soon as it’s available.

Tags: , , ,

23 Comments

  • Larry says:

    Is the flaw in 10.8 also?

  • Jay says:

    I have tested Safari using gotofail.com and another site on OS’s as far back as 10.5.8. Only 10.9, 10.9.1 and so far 10.9.2 versions are affected.

  • Jay says:

    A hotfix for this particular issue could have (and should have) been released this weekend. Now a few hours away from Tuesday, this is unacceptable. They are more than capable to have a fix out in a matter of hours if they wanted to. *upset*

  • Kent Dorfman says:

    How can 10.9.2 be affected when it has not even been released yet?

    • Thomas says:

      I believe that Jay is speaking of things he shouldn’t technically be speaking of… shhhhh! πŸ˜‰

      • Jay says:

        All hear-say of course, stuff I read online and such. 10.9.2? What’s that? I still run Mac OS 8.6 :p

        Like Al I have heard that the latest 10.9.2 seed does include a fix (the one I mentioned was a version before). So the good news is a fix may be imminent, bad news is it’s not here yet.

        I was also wondering how the AirPort Utility application communicates with base stations, would that be vulnerable now too? I haven’t been able to find any documentation on how the communication works but it makes me nervous πŸ˜‰

        • Thomas says:

          Sure, sure… whatever you say! Wink, wink, nudge, nudge, say no more. πŸ˜‰

          A fix in the latest seed is good news, but the fact that it’s 4 days after Apple created their own zero-day and it’s still not available is very bad. πŸ™

          • Jay says:

            Paget worded it nicely ” You just dropped an ugly 0day on us and then went home for the weekend”. But to be fair, bugs and vulnerabilities happen, it’s unavoidable. How they are dealt with however means everything and so far, it’s not being dealt with the way it should.

            Ah well… *refreshes Apple Downloads page and checks Software Update again*

        • Jay says:

          AirPort Utility uses “/System/Library/Frameworks/Security.framework/Versions/A/Security” which is mentioned in other affected applications. If it’s really that simple it should be pretty easy to figure out all applications and processes that link to this framework. But I won’t pretend I’ll know enough about this to be sure. Either way I will not be updating my AirPort Extreme for a while πŸ˜‰ I trust my network but why risk handing over my router name and password right.

          • Al says:

            I suspect you are correct, but that particular framework has serves a multitude of purposes, only part of which involves the SecureTransport function, so it’s possible that AU is using one of it’s other functions.

  • Taavi says:

    Wait, so 10.7.5 is secure for sure?

  • Maxim says:

    No idea why apple do this… they can release fix before 10.9.2… Why should I wait! I want get patch now πŸ™

  • Larry says:

    10.9.2 is out and the fix is in it according to the release info.

  • Al says:

    Specifically:

    Data Security
    Available for: OS X Mavericks 10.9 and 10.9.1
    Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS
    Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.
    CVE-ID
    CVE-2014-1266

  • Darren Kehrer says:

    Safe.

    We have examined your OS and browser version information and have determined you are not at risk without actually running the test. You may force the test to run anyway.

    ——

    This is what I see on SL 10.6.8 with all available updates..

    • Thomas says:

      10.6 wasn’t affected.

    • Al says:

      And you won’t be receiving any more updates, so it’s time to start working toward an OS X upgrade.

      • Darren Kehrer says:

        It’s on my to do list. Just waiting to see where Mavericks goes and then update from there. I own a Lion thumb drive, but I don’t want to update to that and then turn around an update to Mavericks soon thereafter.
        It’s a shame, however, as SL has been my favorite system so far.

This post is more than 90 days old and has been locked. No further comments are allowed.