Skip to main content

Reasons for delay in SSL fix to OS X unclear as a single line of code found responsible

Update: Apple issued OS X 10.9.2 the following day, which included a fix for the SSL bug.

After Apple fixed the SSL bug in iOS, it’s unclear why three days have passed without an OS X fix after it was revealed by Reuters that the vulnerability was created by an error in a single line of code.

The problem lies in the way the software recognizes the digital certificates used by banking sites, Google’s Gmail service, Facebook and others to establish encrypted connections. A single line in the program and an omitted bracket meant that those certificates were not authenticated at all, so that hackers can impersonate the website being sought and capture all the electronic traffic before passing it along to the real site.

As the bug is in Apple’s SSL authentication code, it leaves a whole range of apps vulnerable, not just Safari … 

Security researcher Ashkan Soltani (via Forbes) tested the apps installed on his own system and found that those vulnerable to the bug included Mail, Twitter, Facetime, iMessage and even Apple’s software update mechanism.

Some conspiracy theorists were suggesting that Apple had introduced the bug deliberately for use by the NSA. Since the code was part of Apple’s open-source components, and available for inspection by anyone, this seems highly unlikely (and Apple has explicitly denied). However, Fortune observes that the timing may suggest the NSA was aware of the bug and exploited it, with the bug first appearing in iOS 6.

  • Sept. 24, 2012: iOS 6.0 is released
  • Oct. 2012: Apple is added to the NSA’s list of penetrated servers
  • Dec. 1, 2012 to May 31, 2013: Apple receives 4,000 to 5,000 requests about 9,000 to 10,000 accounts and devices

Apple earlier issued a statement promising a fix “very soon,” but as of the time of writing no update is yet available. Until the bug is patched, it’s advisable not to access secure sites via public wifi hotspots.

Recently departed Apple Security Analyst Kristin Paget was harsh and pointed in her criticism of Apple saying:

Dear Apple, FIX YOUR SHIT.

Okay, so iOS 7.0.6 happened – the short version is that Apple broke SSL. Oops. Oh well, it happens, apply the patch yadda yadda yadda.

What didn’t happen was the corresponding OS X patch. At least not yet.

WHAT THE EVER LOVING F**K, APPLE??!?!! Did you seriously just use one of your platforms to drop an SSL 0day on your other platform? As I sit here on my mac I’m vulnerable to this and there’s nothing I can do, because you couldn’t release a patch for both platforms at the same time? You do know there’s a bunch of live, working exploits for this out in the wild right now, right? Your advisory is entirely focussed on iOS so we know nothing of OS X yet (other than the fact that the exploits work) – could you tell us what in OS X is vulnerable? Is mail.app vulnerable? Should I be worried about malicious SSL/TLS mailservers? How about your update system itself – is that vulnerable?

Come the hell on, Apple. You just dropped an ugly 0day on us and then went home for the weekend – goto fail indeed.

FIX. YOUR. SHIT.

Soon.

Please?

Love and hugs as always,

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. mockery17 - 10 years ago

    My theory is that they’re merging the fix into 10.9.2 and they plan to release it today.

  2. Carl Perry - 10 years ago

    Even an obvious fix like this requires a regression test on every application and service that uses the library to make sure that fixing this bug doesn’t break something else. Since SSL is a core service, it’s going to take some time.

    • Povilas Griškevičius - 10 years ago

      What kind of regression? It’s one line of code.

      • Will Persampieri - 10 years ago

        you can always tell who the non-programmers telling the programmers how to do their job are…

      • Povilas Griškevičius - 10 years ago

        Don’t be so easily wounded, programmer.

      • Sean Macdonald - 10 years ago

        Fixing it could break other things. What if it broke Find My Mac? Or iCloud backup? or dropZone? Or whatever their iTunes streaming service is called.

        I have had cases where i had to turn SSL off in order to test some bit of functionality, and turning it back on required lots of frustrating debugging.

        This of course is not to excuse Apple. Those services should be protected by SSL without a doubt. Just to illustrate that fixing one semicolon is not as easy of side-effect free as you suggest

  3. Jonathan (@Jon889) - 10 years ago

    2 brackets (or one pair of brackets) were omitted

  4. John Smith - 10 years ago

    I can see how this would have implications for Apple apps across the board, they are likely to be sharing the same code.

    What about apps like my IOS banking app, supplied by the bank ?

    Or if I use another browser on my iPad such as Mercury?

    • mockery17 - 10 years ago

      The bug is fixed in iOS 7.0.6. Update your devices and you’re safe.

      • John Smith - 10 years ago

        Hate iOS 7 with a passion.

        If no work around, this might force me to update, but I don’t want to if I still have a choice.

        So sticking with original question … does a third party app such as my banking app or a third party browser such as Mercury rely on the flawed apple code?

        Man in the middle attacks appear to be issue here. It’s no problem to me to restrict (example) app store updates to a trusted network. Not so happy if everything is vulnerable and I cannot use other networks at any time.

      • mockery17 - 10 years ago

        Pretty much yes if you also hate jailbreak with a passion. If you are jailbroken, Ryan Petrich has released a Cydia package called SSL Patch that fixes the bug for iOS 6 and 7.

      • Daniel Perván - 10 years ago

        If you don’t want to update to iOS7, Apple also released 6.1.6 which fixes this bug.

  5. Drew (@gettysburg11s) - 10 years ago

    Let me get this straight. Its such a slow news day, that bloggers are now devoting whole articles to complaining that Apple isn’t coming out with security updates fast enough. Geez.

  6. Jim Huls (@Techslacker) - 10 years ago

    Interesting…with all of the boasting about open source and how people can view the code and be able to fix it quicker we see this.

    Paget is right…Apple dropped a 0 day on every Mac user. That’s just not cool.

  7. ibitebcareful - 10 years ago

    Did I read that right? The bug also exists in iOS6? So, if you’ve got people not wanting to upgrade from iOS 6.x to 7.x – this is pretty much going to force them to upgrade if they want a secure SSL?

    • Mike Gates (@cmkrnl) - 10 years ago

      There is a fix for iOS 6 as well

      • ibitebcareful - 10 years ago

        Yeah, but I imagine that is for devices that are not compatible with iOS 7. So if your device is capable of running iOS 7 – it will have to run it – in order to apply the fix.

  8. PMZanetti - 10 years ago

    “Some conspiracy theorists”

    Ben, why are you in such denial about the fact that Apple is under no obligation to tell you the truth, and under every obligation to bow to the whims of tyrants?

    Do you just TRUST them? That’s smart…

    • Mr. Grey (@mister_grey) - 10 years ago

      Every comment you make on this site, makes you sound like a paranoid lunatic IMO. Just sayin.

      • Chuck Wagner - 10 years ago

        PMZanetti, you are far from a paranoid lunatic with this statement. Mr Grey just doesn’t know his history or is unwilling to be objective about the government’s criminal intrusions. If Mr Grey seriously trusts any government or any corporation in bed with government than he really should have his head examined.

  9. Mr. Grey (@mister_grey) - 10 years ago

    The reason is that if you are not a spy or a criminal, this bug is not exactly that dangerous. Also, give it like a day (a week day anyway) before you start complaining perhaps?

    • Scott (@ScooterComputer) - 10 years ago

      You’re are terribly incorrect. This bug IS that dangerous. It is in a piece of code that is a system-level security service for both Apple-supplied and 3rd-party applications. This VERY piece of code was supposed to ensure the TRUST of the SSL/TLS encrypted security chain; its failure puts every user on iOS 6/7 and Mac OS X 10.9 in a compromised situation every time they check their email with Mail.app, surf to a banking or e-commerce site with Safari, or sends messages with iMessages. Content can be read, passwords dumped, and credit card and account numbers read. It is known there are active exploits that could use this bug immediately that have been on the web well before Friday.

      Perhaps you should not comment on things and giving Apple benefits of doubt for subject matters you do not fully understand. This level of #fail around this bug is immense. That Apple failed to QA test for it TO BEGIN WITH is unacceptable. That they packed up TWO entire iOS releases with no interim OS X Security release ready is just further folly on their part. Furthermore, this bug needs to be pushed as a Security Update to 10.9.1, not force users into 10.9.2 and perhaps more bugs (as buggy as 10.9 and 10.9.1 have been); that should NOT take a week, considering Apple has known about this bug and the fix prior to the iOS release last week. If they had/have a proper QA security unit test in place, testing should not be a time issue.

      • Chuck Wagner - 10 years ago

        Naively leaving the definition of what a “spy” or “criminal” in the hands of tyrants is absurd at best. Edward Snowden is a god damn hero and he has been labeled all of the above and even marked for summary murder by the US government. Bradley Manning is another hero that has been imprisoned and tortured. Scott you are spot on. The OS X fix should be released immediately. I’d rather see temporary issues with consuming applications not being regression tested fully than to continue to have a huge security hole in the operating system.

    • ibitebcareful - 10 years ago

      I’d hate to see what you consider dangerous. Everything Scott said… Spot On!

  10. drtyrell969 - 10 years ago

    LOL, the NSA said, “Wait…we’re almost there….”

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear