Apple Planning Fix for OS X SSL Bug as New Research Reveals iMessage ... - Mac Rumors

/ Labels: ,
Apple has confirmed that it will issue a software update "very soon" to patch the security flaw found in OS X that allows attackers to capture or modify data protected by the SSL/TLS protocols in Safari, reports Reuters . The vulnerability of OS X to the bug was detailed by security firm CrowdStrike and a Google engineer last Friday, and came right after Apple released iOS 7.0.6 to fix the SSL-related issues on iOS.

However, the security flaw, which has been termed "GoToFail" by security specialists due to the improperly used "goto" command that triggers it, may be affecting more than just Safari. Independent privacy researcher Ashkan Soltani has pointed out on his Twitter (via Forbes ) that Apple's vulnerable SSL library is also used by apps including FaceTime, iMessage, Twitter, Calendar, Keynote, Mail, iBooks, Software Update, and more.


gotofail_list_of_apps


A list of apps deemed vulnerable to the SSL bug found in OS X and iOS by security researcher Ashkan Soltani



Soltani does point out that apps such as iMessage and FaceTime have addded security measures that weaken the effects of the security flaw, but also added that the initial iCloud login used to authenticate such apps may also be compromised. The researcher states that other parts of the protocol such as the handshake between a service and a device are vulnerable to an attack as well, and will need to be secured by Apple.

Currently, users can check whether or not their computers are affected by the vulnerability by visiting gotofail.com in Safari. As users wait for a fix to the flaw, CrowdStrike recommends avoiding untrusted and unsecured WiFi networks while traveling. The site also recommends that users update to iOS 7.0.6 if they have not yet installed it on their iOS devices.



I can imagine an NSA techie slamming his head into a wall while saying "*******! They found the loophole I inserted!"

No security.

Great work, Apple!




i hope this is a separate security release, and not only available in 10.9.2.




And it better come tomorrow :mad:

My definition of "very soon," and Apple's definition of "very soon," are very different. :(

i hope this is a separate security release, and not only available in 10.9.2.

At least they're fixing it! Look on the bright side :P

GoToFail.com actually exists.

Nice.

...

Aside from that, why does there need to be 'new research' to confirm that other applications are affected? The bug is a part of OS X's SSL verification system, so of course it is going to affect other applications that use Apple's web services...Forbes ad revenue...

I wonder if *very soon* has been worked on over the weekend?


What would be your definition of very soon given that the news of this came out mid-day Friday or so?




In line with the release of the iOS update. That would be "very soon".

Apple has done a poor job of getting the word out about this vulnerability and what their customers should have been, and should be doing while waiting for the patch.


I've notified a dozen or so people I know that use iOS devices or Macs, and none of them knew about the bug, let alone that they should be avoiding public wifi. Apple could have communicated with their customers much better on this.



So are Apple going to block all these vulnerable apps from running until a fix is available? Or us that kind of calling-out just reserved for Flash.





via apple - Google News http://ift.tt/1hgRLbd

0 comments:

Post a Comment