Researcher: Array of Apple Apps Vulnerable to “Gotofail” Attack
Milagli / Shutterstock
If you stopped using the Safari browser while patiently awaiting Apple’s OS X patch for the “Gotofail” security vulnerability publicized over the weekend, that’s smart.
Now strongly consider giving up Apple’s Calendar, FaceTime, Keynote, iBooks and Mail apps, as well as the Twitter Mac desktop client.
According to respected security researcher Ashkan Soltani, all of those products appear vulnerable to the same avenue of attack.
— ashkan soltani (@ashk4n) February 23, 2014
I’m not going to talk details about the Apple bug except to say the following. It is seriously exploitable and not yet under control.
— Matthew Green (@matthew_d_green) February 21, 2014
An attacker could exploit the flaw to bypass the standard “SSL/TLS” security verification between devices and servers, enabling what’s known as a “man-in-the-middle attack.” Using this approach, a lurker can intercept the data flowing between your computer and a network connection, notably including a Wi-Fi signal in your neighborhood coffee shop.
Apple fixed the Gotofail fail for its mobile operating system on Friday, but has yet to issue an update for its desktop software. The company said Saturday that another patch would come “very soon,” but as of late afternoon Sunday it had yet to arrive.