Andre Yoskowitz
23 Feb 2014 23:43
Apple is having a rough week and fans of their products should be hoping for patches, as soon as possible.
The company revealed a critical bug in its iOS and Safari data security, and quickly released a patch, iOS 7.0.6. Following that revelation, researchers found the same bug for Mac OS X, and today another researcher says the security holes go way further, extending to nearly all of Apple's services and apps. The bug has been dubbed 'GoToFail' due to a single improperly coded 'goto' command in Apple's code.
Among the list of vulnerable apps and services are Mail, Twitter, Facetime, iMessage, iBooks and Apple's software update mechanism.
At the heart of the problem is Apple's "'secure transport' framework, the coding library that developers depend on to build programs that securely communicate online using the common encryption protocols TLS and SSL."
Ashkan Soltani, a privacy researcher well known for analyzing documents leaked by Edward Snowden for the Washington Post, released the list of vulnerable apps. The researcher says if someone wanted to they could "fake that verification [of how Apple authenticates their secure connection with servers] and hijack or corrupt traffic using what's known as a "man-in-the-middle" attack."
The most disturbing revelation is the fact that Apple's update application is compromised. The update application is the mechanism that pushes security patches and more to OS X devices. At worst, malware could be pushed to victim's Macs.
Here are some of the apps which rely on the vulnerable Apple #gotofail SSL library beyond Safari /cc @a_greenberg pic.twitter.com/ombDOOa01A
-- ashkan soltani (@ashk4n) February 23, 2014