Update: Apple issued OS X 10.9.2 the following day, which included a fix for the SSL bug.
After Apple fixed the SSL bug in iOS, it’s unclear why three days have passed without an OS X fix after it was revealed by Reuters that the vulnerability was created by an error in a single line of code.
The problem lies in the way the software recognizes the digital certificates used by banking sites, Google’s Gmail service, Facebook and others to establish encrypted connections. A single line in the program and an omitted bracket meant that those certificates were not authenticated at all, so that hackers can impersonate the website being sought and capture all the electronic traffic before passing it along to the real site.
As the bug is in Apple’s SSL authentication code, it leaves a whole range of apps vulnerable, not just Safari …
Security researcher Ashkan Soltani (via Forbes) tested the apps installed on his own system and found that those vulnerable to the bug included Mail, Twitter, Facetime, iMessage and even Apple’s software update mechanism.
Some conspiracy theorists were suggesting that Apple had introduced the bug deliberately for use by the NSA. Since the code was part of Apple’s open-source components, and available for inspection by anyone, this seems highly unlikely (and Apple has explicitly denied). However, Fortune observes that the timing may suggest the NSA was aware of the bug and exploited it, with the bug first appearing in iOS 6.
- Sept. 24, 2012: iOS 6.0 is released
- Oct. 2012: Apple is added to the NSA’s list of penetrated servers
- Dec. 1, 2012 to May 31, 2013: Apple receives 4,000 to 5,000 requests about 9,000 to 10,000 accounts and devices
Apple earlier issued a statement promising a fix “very soon,” but as of the time of writing no update is yet available. Until the bug is patched, it’s advisable not to access secure sites via public wifi hotspots.
Recently departed Apple Security Analyst Kristin Paget was harsh and pointed in her criticism of Apple saying:
Dear Apple, FIX YOUR SHIT.
Okay, so iOS 7.0.6 happened – the short version is that Apple broke SSL. Oops. Oh well, it happens, apply the patch yadda yadda yadda.
What didn’t happen was the corresponding OS X patch. At least not yet.
WHAT THE EVER LOVING F**K, APPLE??!?!! Did you seriously just use one of your platforms to drop an SSL 0day on your other platform? As I sit here on my mac I’m vulnerable to this and there’s nothing I can do, because you couldn’t release a patch for both platforms at the same time? You do know there’s a bunch of live, working exploits for this out in the wild right now, right? Your advisory is entirely focussed on iOS so we know nothing of OS X yet (other than the fact that the exploits work) – could you tell us what in OS X is vulnerable? Is mail.app vulnerable? Should I be worried about malicious SSL/TLS mailservers? How about your update system itself – is that vulnerable?
Come the hell on, Apple. You just dropped an ugly 0day on us and then went home for the weekend – goto fail indeed.
FIX. YOUR. SHIT.
Soon.
Please?
Love and hugs as always,
FTC: We use income earning auto affiliate links. More.
My theory is that they’re merging the fix into 10.9.2 and they plan to release it today.
Even an obvious fix like this requires a regression test on every application and service that uses the library to make sure that fixing this bug doesn’t break something else. Since SSL is a core service, it’s going to take some time.
What kind of regression? It’s one line of code.
you can always tell who the non-programmers telling the programmers how to do their job are…
Don’t be so easily wounded, programmer.
Fixing it could break other things. What if it broke Find My Mac? Or iCloud backup? or dropZone? Or whatever their iTunes streaming service is called.
I have had cases where i had to turn SSL off in order to test some bit of functionality, and turning it back on required lots of frustrating debugging.
This of course is not to excuse Apple. Those services should be protected by SSL without a doubt. Just to illustrate that fixing one semicolon is not as easy of side-effect free as you suggest
2 brackets (or one pair of brackets) were omitted
I can see how this would have implications for Apple apps across the board, they are likely to be sharing the same code.
What about apps like my IOS banking app, supplied by the bank ?
Or if I use another browser on my iPad such as Mercury?
The bug is fixed in iOS 7.0.6. Update your devices and you’re safe.
Hate iOS 7 with a passion.
If no work around, this might force me to update, but I don’t want to if I still have a choice.
So sticking with original question … does a third party app such as my banking app or a third party browser such as Mercury rely on the flawed apple code?
Man in the middle attacks appear to be issue here. It’s no problem to me to restrict (example) app store updates to a trusted network. Not so happy if everything is vulnerable and I cannot use other networks at any time.
Pretty much yes if you also hate jailbreak with a passion. If you are jailbroken, Ryan Petrich has released a Cydia package called SSL Patch that fixes the bug for iOS 6 and 7.
If you don’t want to update to iOS7, Apple also released 6.1.6 which fixes this bug.
Maybe there is something similar for iOS6: http://www.redmondpie.com/how-to-fix-ssl-security-flaw-in-ios-7-without-updating-to-ios-7.0.6/
Let me get this straight. Its such a slow news day, that bloggers are now devoting whole articles to complaining that Apple isn’t coming out with security updates fast enough. Geez.
Interesting…with all of the boasting about open source and how people can view the code and be able to fix it quicker we see this.
Paget is right…Apple dropped a 0 day on every Mac user. That’s just not cool.
Did I read that right? The bug also exists in iOS6? So, if you’ve got people not wanting to upgrade from iOS 6.x to 7.x – this is pretty much going to force them to upgrade if they want a secure SSL?
There is a fix for iOS 6 as well
Yeah, but I imagine that is for devices that are not compatible with iOS 7. So if your device is capable of running iOS 7 – it will have to run it – in order to apply the fix.
“Some conspiracy theorists”
Ben, why are you in such denial about the fact that Apple is under no obligation to tell you the truth, and under every obligation to bow to the whims of tyrants?
Do you just TRUST them? That’s smart…
Every comment you make on this site, makes you sound like a paranoid lunatic IMO. Just sayin.
PMZanetti, you are far from a paranoid lunatic with this statement. Mr Grey just doesn’t know his history or is unwilling to be objective about the government’s criminal intrusions. If Mr Grey seriously trusts any government or any corporation in bed with government than he really should have his head examined.
The reason is that if you are not a spy or a criminal, this bug is not exactly that dangerous. Also, give it like a day (a week day anyway) before you start complaining perhaps?
You’re are terribly incorrect. This bug IS that dangerous. It is in a piece of code that is a system-level security service for both Apple-supplied and 3rd-party applications. This VERY piece of code was supposed to ensure the TRUST of the SSL/TLS encrypted security chain; its failure puts every user on iOS 6/7 and Mac OS X 10.9 in a compromised situation every time they check their email with Mail.app, surf to a banking or e-commerce site with Safari, or sends messages with iMessages. Content can be read, passwords dumped, and credit card and account numbers read. It is known there are active exploits that could use this bug immediately that have been on the web well before Friday.
Perhaps you should not comment on things and giving Apple benefits of doubt for subject matters you do not fully understand. This level of #fail around this bug is immense. That Apple failed to QA test for it TO BEGIN WITH is unacceptable. That they packed up TWO entire iOS releases with no interim OS X Security release ready is just further folly on their part. Furthermore, this bug needs to be pushed as a Security Update to 10.9.1, not force users into 10.9.2 and perhaps more bugs (as buggy as 10.9 and 10.9.1 have been); that should NOT take a week, considering Apple has known about this bug and the fix prior to the iOS release last week. If they had/have a proper QA security unit test in place, testing should not be a time issue.
Naively leaving the definition of what a “spy” or “criminal” in the hands of tyrants is absurd at best. Edward Snowden is a god damn hero and he has been labeled all of the above and even marked for summary murder by the US government. Bradley Manning is another hero that has been imprisoned and tortured. Scott you are spot on. The OS X fix should be released immediately. I’d rather see temporary issues with consuming applications not being regression tested fully than to continue to have a huge security hole in the operating system.
I’d hate to see what you consider dangerous. Everything Scott said… Spot On!
LOL, the NSA said, “Wait…we’re almost there….”