update

Update: Apple issued OS X 10.9.2 the following day, which included a fix for the SSL bug.

After Apple fixed the SSL bug in iOS, it’s unclear why three days have passed without an OS X fix after it was revealed by Reuters that the vulnerability was created by an error in a single line of code.

The problem lies in the way the software recognizes the digital certificates used by banking sites, Google’s Gmail service, Facebook and others to establish encrypted connections. A single line in the program and an omitted bracket meant that those certificates were not authenticated at all, so that hackers can impersonate the website being sought and capture all the electronic traffic before passing it along to the real site.

As the bug is in Apple’s SSL authentication code, it leaves a whole range of apps vulnerable, not just Safari … 

Security researcher Ashkan Soltani (via Forbes) tested the apps installed on his own system and found that those vulnerable to the bug included Mail, Twitter, Facetime, iMessage and even Apple’s software update mechanism.

Some conspiracy theorists were suggesting that Apple had introduced the bug deliberately for use by the NSA. Since the code was part of Apple’s open-source components, and available for inspection by anyone, this seems highly unlikely (and Apple has explicitly denied). However, Fortune observes that the timing may suggest the NSA was aware of the bug and exploited it, with the bug first appearing in iOS 6.

  • Sept. 24, 2012: iOS 6.0 is released
  • Oct. 2012: Apple is added to the NSA’s list of penetrated servers
  • Dec. 1, 2012 to May 31, 2013: Apple receives 4,000 to 5,000 requests about 9,000 to 10,000 accounts and devices

Apple earlier issued a statement promising a fix “very soon,” but as of the time of writing no update is yet available. Until the bug is patched, it’s advisable not to access secure sites via public wifi hotspots.

Recently departed Apple Security Analyst Kristin Paget was harsh and pointed in her criticism of Apple saying:

Dear Apple, FIX YOUR SHIT.

Okay, so iOS 7.0.6 happened – the short version is that Apple broke SSL. Oops. Oh well, it happens, apply the patch yadda yadda yadda.

What didn’t happen was the corresponding OS X patch. At least not yet.

WHAT THE EVER LOVING F**K, APPLE??!?!! Did you seriously just use one of your platforms to drop an SSL 0day on your other platform? As I sit here on my mac I’m vulnerable to this and there’s nothing I can do, because you couldn’t release a patch for both platforms at the same time? You do know there’s a bunch of live, working exploits for this out in the wild right now, right? Your advisory is entirely focussed on iOS so we know nothing of OS X yet (other than the fact that the exploits work) – could you tell us what in OS X is vulnerable? Is mail.app vulnerable? Should I be worried about malicious SSL/TLS mailservers? How about your update system itself – is that vulnerable?

Come the hell on, Apple. You just dropped an ugly 0day on us and then went home for the weekend – goto fail indeed.

FIX. YOUR. SHIT.

Soon.

Please?

Love and hugs as always,

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

26 Responses to “Reasons for delay in SSL fix to OS X unclear as a single line of code found responsible”

  1. mockery17 says:

    My theory is that they’re merging the fix into 10.9.2 and they plan to release it today.

    Like

  2. Carl Perry says:

    Even an obvious fix like this requires a regression test on every application and service that uses the library to make sure that fixing this bug doesn’t break something else. Since SSL is a core service, it’s going to take some time.

    Like

  3. 2 brackets (or one pair of brackets) were omitted

    Like

  4. John Smith says:

    I can see how this would have implications for Apple apps across the board, they are likely to be sharing the same code.

    What about apps like my IOS banking app, supplied by the bank ?

    Or if I use another browser on my iPad such as Mercury?

    Like

  5. Let me get this straight. Its such a slow news day, that bloggers are now devoting whole articles to complaining that Apple isn’t coming out with security updates fast enough. Geez.

    Like

  6. Interesting…with all of the boasting about open source and how people can view the code and be able to fix it quicker we see this.

    Paget is right…Apple dropped a 0 day on every Mac user. That’s just not cool.

    Like

  7. Did I read that right? The bug also exists in iOS6? So, if you’ve got people not wanting to upgrade from iOS 6.x to 7.x – this is pretty much going to force them to upgrade if they want a secure SSL?

    Like

  8. PMZanetti says:

    “Some conspiracy theorists”

    Ben, why are you in such denial about the fact that Apple is under no obligation to tell you the truth, and under every obligation to bow to the whims of tyrants?

    Do you just TRUST them? That’s smart…

    Like

    • Every comment you make on this site, makes you sound like a paranoid lunatic IMO. Just sayin.

      Like

      • Chuck Wagner says:

        PMZanetti, you are far from a paranoid lunatic with this statement. Mr Grey just doesn’t know his history or is unwilling to be objective about the government’s criminal intrusions. If Mr Grey seriously trusts any government or any corporation in bed with government than he really should have his head examined.

        Like

  9. The reason is that if you are not a spy or a criminal, this bug is not exactly that dangerous. Also, give it like a day (a week day anyway) before you start complaining perhaps?

    Like

    • You’re are terribly incorrect. This bug IS that dangerous. It is in a piece of code that is a system-level security service for both Apple-supplied and 3rd-party applications. This VERY piece of code was supposed to ensure the TRUST of the SSL/TLS encrypted security chain; its failure puts every user on iOS 6/7 and Mac OS X 10.9 in a compromised situation every time they check their email with Mail.app, surf to a banking or e-commerce site with Safari, or sends messages with iMessages. Content can be read, passwords dumped, and credit card and account numbers read. It is known there are active exploits that could use this bug immediately that have been on the web well before Friday.

      Perhaps you should not comment on things and giving Apple benefits of doubt for subject matters you do not fully understand. This level of #fail around this bug is immense. That Apple failed to QA test for it TO BEGIN WITH is unacceptable. That they packed up TWO entire iOS releases with no interim OS X Security release ready is just further folly on their part. Furthermore, this bug needs to be pushed as a Security Update to 10.9.1, not force users into 10.9.2 and perhaps more bugs (as buggy as 10.9 and 10.9.1 have been); that should NOT take a week, considering Apple has known about this bug and the fix prior to the iOS release last week. If they had/have a proper QA security unit test in place, testing should not be a time issue.

      Like

      • Chuck Wagner says:

        Naively leaving the definition of what a “spy” or “criminal” in the hands of tyrants is absurd at best. Edward Snowden is a god damn hero and he has been labeled all of the above and even marked for summary murder by the US government. Bradley Manning is another hero that has been imprisoned and tortured. Scott you are spot on. The OS X fix should be released immediately. I’d rather see temporary issues with consuming applications not being regression tested fully than to continue to have a huge security hole in the operating system.

        Like

    • I’d hate to see what you consider dangerous. Everything Scott said… Spot On!

      Like

  10. drtyrell969 says:

    LOL, the NSA said, “Wait…we’re almost there….”

    Like