• Explore the magic and the mystery!



  • The Notorious SSL Bug: At Least Apple Fixed It

    February 26th, 2014

    The headlines filled the airwaves and the daily newspapers. A serious SSL bug present in OS X Mavericks, iOS 6, and iOS 7 could result in Internet criminals eavesdropping or hijacking your account. To make matters worse, some suggested this bug provided an open door for the NSA to keep taps on you, although I wouldn’t presume that any of these things have actually happened.

    The signature verification bug, given the nickname “gotofail,” left literally hundreds of millions of users of Apple products vulnerable, because it allowed the attacker to use the hole in SSL and TLS connections to  break in. Not a very pleasant prospect.

    Now there has been quite a bit of fear-mongering about this problem, though it’s surely a genuine issue, although it’s not as if there is any evidence that it has actually been exploited, at least not yet. News of the flaw arrived last Friday with the release of iOS 7.0.6 and iOS 6.1.6, both of which repaired the problem.

    But the bug also impacted OS X Mavericks, and that critical fix was added to the 10.9.2 update that arrived on Tuesday. According to published reports, the flaw involve a single line of code that allowed Internet criminals to bypass SSL/TSL encryption, and if that happens all bets are off.

    If you want to know the raw details, you can examine a report posted at the Department of Homeland Security’s National Vulnerability Database.

    While some of you may not be inclined to install iOS and OS X updates until they’ve been tested and proven in the wild, this is one of those situations where you need to take a chance and get with the program. Now that the existence of the bug is known, the potential for exploitation is much greater.

    The updates for iOS 6 and iOS 7 were strictly targeted towards fixing the SSL bug. It’s not apparent that anything else was fixed. The next iOS 7 update, expected to be known as 7.1, is expected this coming March. The fix for OS X Mavericks was distributed as part of a regular maintenance update with 10 other updates and enhancements, along with a smattering of some other less severe, security fixes.

    Here’s a full ist of the changes, except for those additional issues that also impact security:

    • Adds the ability to make and receive FaceTime audio calls
    • Adds call waiting support for FaceTime audio and video calls
    • Adds the ability to block incoming iMessages from individual senders
    • Improves the accuracy of unread counts in Mail
    • Resolves an issue that prevented Mail from receiving new messages from certain providers
    • Improves AutoFill compatibility in Safari
    • Fixes an issue that may cause audio distortion on certain Macs
    • Improves reliability when connecting to a file server using SMB2
    • Fixes an issue that may cause VPN connections to disconnect
    • Improves VoiceOver navigation in Mail and Finder
    • Provides a fix for SSL connection verification

    Of course the important issue is the last, the SSL bug. The other issues aren’t quite as severe, although it’s nice to have support for FaceTime audio. Also, one would hope that Mail has finally been fixed, since it was very much broken in some respects with the release of Mavericks.

    But you have to wonder about the security situation with, say, Google’s Android platform. After all, the vast majority of Android phones continue to use an older version of the OS. If this sort of bug happened on that platform, how would Google handle the situation? How would they be able to push the critical fix, when they have to negotiate with the handset makers and carriers to get the maintenance update in the hands of users?

    What indeed!

    According to an editorial posted this past weekend by Daniel Eran Dilger in AppleInsider, “Android’s latest bug was a critical security flaw in Android’s WebView, first disclosed 14 months ago.”

    Daniel’s article further states that some 82% of iOS devices are using the latest version, with another 15% running iOS 6. There’s no indication that the SSL verification bug impacted older versions.

    In contrast, a mere 1.8% of Android handsets were reported using version 4.4 KitKat as of earlier this month. Some 20% are still saddled with version 2.3.x Gingerbread, first released in 2010.

    Just this week there was a story about yet another serious Android security bug. With the broken update structure, can anyone using an Android gadget be assured it will be fixed any time soon?

    Now to be fair, you can say that Apple should not have allowed this bug to make it through regular Q&A testing. Certainly the people responsible should get a strong verbal lashing for making iOS and OS X severely vulnerable as the result of this foolish bug.

    But it’s also true that nothing is perfect, and perhaps the testing process made assumptions that allowed this defect to go through. After all, verification of SSL and TSL connections are certainly new technologies.

    So let this be an object lesson. Apple fixed the bug. But you have to look at other platforms and see if such issues would be addressed as quickly. With Android, the answer would no doubt be no, and I wonder why the media, amid the gloom and doom headlines, has failed to acknowledge that fact.



    Share
    | Print This Post Print This Post

    One Response to “The Notorious SSL Bug: At Least Apple Fixed It”

    1. dfs says:

      Yes, Apple fixed it with OSX9.2, which is a Good Thing in itself. But I hope that this flap about the SSL didn’t panic into releasing this new version prematurely before all its bugs have firmly been squashed.

    Leave Your Comment