AfterDawn: News

Apple under fire after massive exploits found in iOS, OS X, Safari, Mail, Facetime, iBooks, Apple Update

Apple is having a rough week and fans of their products should be hoping for patches, as soon as possible.

The company revealed a critical bug in its iOS and Safari data security, and quickly released a patch, iOS 7.0.6. Following that revelation, researchers found the same bug for Mac OS X, and today another researcher says the security holes go way further, extending to nearly all of Apple's services and apps. The bug has been dubbed 'GoToFail' due to a single improperly coded 'goto' command in Apple's code.



Among the list of vulnerable apps and services are Mail, Twitter, Facetime, iMessage, iBooks and Apple's software update mechanism.

At the heart of the problem is Apple's "'secure transport' framework, the coding library that developers depend on to build programs that securely communicate online using the common encryption protocols TLS and SSL."

Ashkan Soltani, a privacy researcher well known for analyzing documents leaked by Edward Snowden for the Washington Post, released the list of vulnerable apps. The researcher says if someone wanted to they could "fake that verification [of how Apple authenticates their secure connection with servers] and hijack or corrupt traffic using what's known as a "man-in-the-middle" attack."

The most disturbing revelation is the fact that Apple's update application is compromised. The update application is the mechanism that pushes security patches and more to OS X devices. At worst, malware could be pushed to victim's Macs.

Here are some of the apps which rely on the vulnerable Apple #gotofail SSL library beyond Safari /cc @a_greenberg pic.twitter.com/ombDOOa01A

-- ashkan soltani (@ashk4n) February 23, 2014

Written by: Andre Yoskowitz @ 23 Feb 2014 23:43

• Previous article

• LG working on Google's smartwatch, set for launch at I/O

• Next article

• Nokia unveils three Android phones: X, X+, XL as gateways to Lumia

• 19 comments

• Jemborg

  Ta-da!
  
  "Security through obscu... huh?"
  

  Its a lot easier being righteous than right.
  
  
  

  24.2.2014 05:46 #1

• Jemborg

  Hey, my above comment did not show on the "Latest User Comments" sidebar.... It's an Apple conspiracy-through-obscurity! :P
  
  
  
  
  
  
  -------------------------------------------------------------------
  

  Its a lot easier being righteous than right.
  
  
  

  24.2.2014 07:24 #2

• Dragon3000

  The bigger they are the harder they fall.
  

  24.2.2014 07:52 #3

• molsen

  Major oversight on Apple's part.
  

  24.2.2014 11:07 #4

• hearme0

  "But but but Apple is supposed to be safer and without troubles, viruses or complications"........."That's why I bought a MAC, because they don't have problems"
  
  Isn't this what we've all heard at least once?!?!?!

  24.2.2014 11:45 #5

• aldan

  bazinga!
  

  24.2.2014 12:21 #6

• nintenut

  No viruses on Mac, right?
  
  Only crippling security exploits.
  

  
  

  24.2.2014 13:59 #7

• SomeBozo

  Originally posted by nintenut: No viruses on Mac, right?
  
  Only crippling security exploits. That is write absolutely know viruses on eh Mac. Just like that last sentence was all spelled correctly :) Can't wait to see a friend to berated me up and down that Macs never have any security holes and that they never had any viruses...
  
  

  24.2.2014 15:23 #8

• Mrguss

  The next Crapple bug could be dubbed 'GoToHell' !?
  ...and never return !!!
  

  +5000

  24.2.2014 17:05 #9

• GryphB

  No O/S is ever 100% protected from STD's and other crap.

  24.2.2014 19:47 #10

• Jemborg

  Originally posted by hearme0: "But but but Apple is supposed to be safer and without troubles, viruses or complications"........."That's why I bought a MAC, because they don't have problems"
  
  Isn't this what we've all heard at least once?!?!?! Too right.
  
  Originally posted by SomeBozo: Originally posted by nintenut: No viruses on Mac, right?
  
  Only crippling security exploits. That is write absolutely know viruses on eh Mac. Just like that last sentence was all spelled correctly :) Can't wait to see a friend to berated me up and down that Macs never have any security holes and that they never had any viruses...
  Have fun :)
  

  Its a lot easier being righteous than right.
  
  
  

  25.2.2014 01:31 #11

• DVDBack23

  Virus writers don't bother with Mac because why build something to infect 9 percent of the world's computer population when you can hit the other 91 percent just as easily?
  

  AfterDawn News
  AfterDawn Guides
  AfterDawn Downloads
  AfterDawn Hardware Section

  25.2.2014 21:40 #12

• Jemborg

  Originally posted by DVDBack23: Virus writers don't bother with Mac because why build something to infect 9 percent of the world's computer population when you can hit the other 91 percent just as easily? "...when you can hit the other 91 percent just as easily?" I would dispute that. I would doubt that ANY virus writer would expect to catch anywhere near that percentage.
  
  If I was an virus writer (and I'm talking in terms of identity theft, trogans, worms etc.) I would jump at the chance to nail a naive unsuspecting whole 9%.
  
  In commercial terms 9% is an ENORMOUS number and would be a wet dream for such types. And iSheeps are usually moneyed. And are we looking at their extremely popular mobile tech too? Judging from the above, indeed yes.
  
  
  So I guess the article writer above is wrong about Apple being in any trouble... hang on... that's you isn't it? :)
  
  
  
  -----------------------------------------------------------------
  

  Its a lot easier being righteous than right.
  
  
  

  25.2.2014 23:53 #13

• ddp

  Jemborg, i agree as that 9%(apple) doesn't have the vast 3rd party support that the other 90%(Windows) for anti virus\malware programs.
  

  26.2.2014 00:15 #14

• Jemborg

  Yes, and this doesn't count for those that just do it for... fun/because they can/they're malicious/kudos/hey it's Apple!
  
  And it's not like nobody's ever written a virus for Macs either.
  
  
  I saw this on national newsfeed initially. I don't have a thing against Macs really, though I think they make exaggerate claims and prices. You do what you can get away with I suppose.
  

  Its a lot easier being righteous than right.
  
  
  

  26.2.2014 06:52 #15

• Mrguss

  Originally posted by DVDBack23: Virus writers don't bother with Mac because why build something to infect 9 percent of the world's computer population when you can hit the other 91 percent just as easily? For name, fame & just fun.
  
  Beside that many people are sick and tired of all the over-exaggerated Crapple Monopoly adds everywhere and everyday to Corporate gain & exploit more iSheeps.
  

  +5000

  26.2.2014 15:48 #16

• Mez

  DVDBack23, 9% of the world computers is a lot of computers. Ignoring them is like not picking up a $10 bill because it isn't a $100. I suspect most macs are loaded with bot nets. Most of the dopes using apple products aren't going to do anything.
  
  The security patch will only help if the user starts from scratch. Who is going to do that???
  
  Most PC users are too lazy as well. Nobody cares about server-side polymorphic malware. They can't even pronounce it. It is the ultimate malware. No AV scanner can protect it. A study 2 yrs ago showed the top 5 AV systems failed to stop 80 of the 80 advanced malware. I expect the malware has gotten stealthier since then.

  28.2.2014 20:13 #17

• kutulu1

  Lol...Apple sheep having a tough time...lol. This is why I went with a BBZ10. Stuff like this does not happen with Blackberry; top notch security.

  28.2.2014 23:47 #18

• Jemborg

  Originally posted by kutulu1: Lol...Apple sheep having a tough time...lol. This is why I went with a BBZ10. Stuff like this does not happen with Blackberry; top notch security. Heh, we use Puppy Linux with Seamonkey browser for banking and finalising internet transactions.
  

  Its a lot easier being righteous than right.
  
  
  

  2.3.2014 02:27 #19