Apple fixed a major security flaw in its mobile operating system on Friday, but appears to have momentarily left its desktop software open to attack, according to security experts.
Researchers at CrowdStrike reverse engineered Apple’s “emergency SSL security update for iOS (7.0.6)” to analyze what has become known as the “Gotofail” bug. They found that an attacker could exploit the earlier hole to bypass the standard “SSL/TLS” security verification protocols, which enable encrypted communications online, adding:
“This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider, and perform full interception of encrypted traffic between you and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of your system).”
But Apple’s patch only covered its mobile operating system, iOS, while its standard OS X operating system is also vulnerable, according to CrowdStrike. Various researchers and reporters have found that Apple’s Safari browser and Mail application could be susceptible. It doesn’t appear that the Firefox or Chrome browsers are.
Apple said another patch is on the way.
“We are aware of this issue and already have a software fix that will be released very soon,” Apple spokeswoman Trudy Muller said.
Still, respected security researchers were shocked by Apple’s practices in this instance.
Biggest concern: SSL #gotofail suggests Apple isn’t running security unit tests for bad/spoofed certs! Totally unacceptable in this day/age
— ashkan soltani (@ashk4n) February 23, 2014
Google’s Adam Langley wrote on his blog: “Yesterday, Apple pushed a rather spooky security update for iOS that suggested that something was horribly wrong with SSL/TLS in iOS but gave no details. … This sort of subtle bug deep in the code is a nightmare. I believe that it’s just a mistake and I feel very bad for whomever might have slipped in an editor and created it.”
But others perceived more sinister possibilities.
Close Apple watcher John Gruber raised the question of whether or not the National Security Agency might have inserted the bug as a backdoor — or noticed and exploited it. He noted that the vulnerability found its way into the mobile operating system around the same time the NSA claimed the ability to access information from Apple through the PRISM program, according to the slides leaked by former security contractor Edward Snowden.
I see five levels of paranoia:
1. Nothing. The NSA was not aware of this vulnerability.
2. The NSA knew about it, but never exploited it.
3. The NSA knew about it, and exploited it.
4. NSA itself planted it surreptitiously.
4. Apple, complicit with the NSA, added it.
Me, I’ll go as far as #3. In fact, I think that’s actually the optimistic scenario — because we know from the PRISM slides that the NSA claims some ability to do what this vulnerability would allow. So if this bug, now closed, is not what the NSA was exploiting, it means there might exist some other vulnerability that remains open.
For now, here’s what CrowdStrike recommends for Apple customers:
Update your Apple devices and systems as soon as possible to the latest available versions. Do not use untrusted networks (especially WiFi) while traveling, until you can update the devices from a trusted network. On unpatched mobile and laptop devices, set “Ask to Join Networks” setting to OFF, which will prevent them from showing prompts to connect to untrusted networks.
Re/code’s John Paczkowski contributed to this post.