What Apple’s Goto Fail Security Bug Means to You

| Analysis

Safari in OS X Mavericks may not be as secure as you think, especially if you surf the Web in public places like coffee shops or at school. A serious flaw in the code Safari and Mail use, called the Goto Fail Bug, could expose data you'd rather keep private -- like passwords and banking information -- and even let hackers intercept your email. Apple promises a fix is coming, but until then it's up to you to practice safe browsing habits to help avoid accidentally exposing your personal information online.

Safari's Goto bug could expose your Web surfing to hackersSafari's Goto bug could expose your Web surfing to hackers

As The Mac Observer reported earlier, Apple updated iOS 7 to 7.0.6, the reason being “This security update provides a fix for SSL connection verification.” While this sounds like a good thing to those who aren’t security-minded, in that who wouldn’t want their connection to be verified, this wording raised all sorts of alarms in security circles. The vulnerability has been dubbed Goto Fail due to the C code being executed when it shouldn't.  

This is because TLS (Transport Layer Security) and its predecessor, SSL (Secure Sockets Layer) provide two very important services. The first is security, in the form of encryption, that scrambles the data you send over your network so that others can’t view it. The second, and what this bug involves, is authentication, also known as verification, in that you trust the system that you’re exchanging data with is who it says it is.  

This authentication is done via what’s known as a digital signature, using a technology called public key encryption. A signature is created with a private key, which is a piece of data that only the owner of a system and corresponding certificate should possess, and verified with a public key, which is stored on your computer. The problem is that if a signature isn’t verified when a SSL/TLS connection is established, there’s the potential for someone to launch what is known as a “man in the middle” attack, which means they could monitor your network traffic without your knowing it.

The concern is that while Apple has patched this vulnerability in iOS 6, iOS 7 and Apple TV 6, as of this writing it hasn’t yet patched OS X 10.9.x, which shares the same security code as iOS. To see if your browser is vulnerable, you can use the Goto Fail Browser Security Check.

At this point, Safari is vulnerable, but other browsers, such as Firefox and Chrome, which don’t use Apple’s SSL/TLS implementation, are not. But this isn’t just a matter of using a different browser, since other pieces of Apple software, such as Mail.app, also use their SSL/TLS implementation.

What can you to do reduce the risk of your data being compromised? Avoid using public Wi-Fi. If you must use it, consider using a VPN (Cloak is a fine choice for OS X and iOS) to provide an additional layer of security for your network connection. If you send sensitive data via email, consider using S/MIME or GPG to encrypt and sign your email.  If you're really worried, use an earlier version of OS X, since only Mavericks looks to be vulnerable per Vulnerability Summary for CVE-2014-1266.

And try not to panic, at least not until you've found your towel. This bug will not send all of your confidential data to the criminals of the world, but it certainly makes it easier for those with the right tools.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

Comments

mrmwebmax

+

And try not to panic, at least not until you’ve found your towel.

42.

wab95

Many thanks for that excellent summary, John.

I just heard about this vulnerability a few hours ago out here in my field site - very far from where you are - from my mum, of all people, who Skyped me to find out what this was and whether or not she should be worried. She looks to me for her tech info; sadly I failed her, as I had not heard of it with my extremely limited time and internet access. Now at least I can forward this to her.

Thanks, too, for that reminder about Cloak, which I’ve heard you and Dave mention before on MGG. I so seldom use public Wi-Fi unless I’m at a conference that I haven’t bothered. Now might be a good time to spring for it (not that I need it where I am, but that’s another issue).

Cheers.

jbruni

10.9.2 is just around the corner. Most likely it will be included in that patch as well as a stand-alone.

jbruni

http://appleinsider.com/articles/14/02/24/apple-nearing-release-of-os-x-1092-with-support-for-facetime-audio-fixes-for-mail-safari

Yup. Includes patch for SSL flaw.

John F. Braun

For those that just can’t wait, here’s instructions on how to apply an unofficial patch:

https://gist.github.com/uberbrady/9192980

adamC

Thanks goodness there are still sensible people around instead of the sky is falling types which are too prevalent nowadays when Apple is concerned.

Nicolas diPierro

The latest (as of 02/24/14) 10.9.2 build 13C62 uses Safari Version 7.0.2 (9537.74.9) fails the Goto Fail Browser Security Check.

John F. Braun

Thanks, adamC, in that I’ve seen a lot of reports concerning this issue, and there’s lots of hysteria, and just plain misinformation out there.  This bug does NOT mean that your traffic is unencrypted, but if someone takes the right steps, they could inject their own private key into the equation, and with the corresponding public key, could then potentially decrypt your network traffic.  This write from Sophos is the best detailed analysis of the exploit I’ve seen:

http://nakedsecurity.sophos.com/2014/02/24/anatomy-of-a-goto-fail-apples-ssl-bug-explained-plus-an-unofficial-patch/

Log-in to comment