Update: Apple issued OS X 10.9.2 the following day, which included a fix for the SSL bug.

After Apple fixed the SSL bug in iOS, it’s unclear why three days have passed without an OS X fix after it was revealed by Reuters that the vulnerability was created by an error in a single line of code.

The problem lies in the way the software recognizes the digital certificates used by banking sites, Google’s Gmail service, Facebook and others to establish encrypted connections. A single line in the program and an omitted bracket meant that those certificates were not authenticated at all, so that hackers can impersonate the website being sought and capture all the electronic traffic before passing it along to the real site.

As the bug is in Apple’s SSL authentication code, it leaves a whole range of apps vulnerable, not just Safari … 

Security researcher Ashkan Soltani (via Forbes) tested the apps installed on his own system and found that those vulnerable to the bug included Mail, Twitter, Facetime, iMessage and even Apple’s software update mechanism.

Some conspiracy theorists were suggesting that Apple had introduced the bug deliberately for use by the NSA. Since the code was part of Apple’s open-source components, and available for inspection by anyone, this seems highly unlikely (and Apple has explicitly denied). However, Fortune observes that the timing may suggest the NSA was aware of the bug and exploited it, with the bug first appearing in iOS 6.

  • Sept. 24, 2012: iOS 6.0 is released
  • Oct. 2012: Apple is added to the NSA’s list of penetrated servers
  • Dec. 1, 2012 to May 31, 2013: Apple receives 4,000 to 5,000 requests about 9,000 to 10,000 accounts and devices

Apple earlier issued a statement promising a fix “very soon,” but as of the time of writing no update is yet available. Until the bug is patched, it’s advisable not to access secure sites via public wifi hotspots.

Recently departed Apple Security Analyst Kristin Paget was harsh and pointed in her criticism of Apple saying:

Dear Apple, FIX YOUR SHIT.

Okay, so iOS 7.0.6 happened – the short version is that Apple broke SSL. Oops. Oh well, it happens, apply the patch yadda yadda yadda.

What didn’t happen was the corresponding OS X patch. At least not yet.

WHAT THE EVER LOVING F**K, APPLE??!?!! Did you seriously just use one of your platforms to drop an SSL 0day on your other platform? As I sit here on my mac I’m vulnerable to this and there’s nothing I can do, because you couldn’t release a patch for both platforms at the same time? You do know there’s a bunch of live, working exploits for this out in the wild right now, right? Your advisory is entirely focussed on iOS so we know nothing of OS X yet (other than the fact that the exploits work) – could you tell us what in OS X is vulnerable? Is mail.app vulnerable? Should I be worried about malicious SSL/TLS mailservers? How about your update system itself – is that vulnerable?

Come the hell on, Apple. You just dropped an ugly 0day on us and then went home for the weekend – goto fail indeed.




Love and hugs as always,