When using Apple Hardware, be prepared for security updates. iOS already there, OS X and others will follow. #gotofail
Posted by jpluimers on 2014/02/24
Last week, Apple fixed the so called #gotofail bug for iOS devices. Other devices (Macs with OS X 10.9 Mavericks, maybe earlier versions and I also suspect Apple TV to be vulnerable) will follow soon.
I thought that Old iOS devices would be in the dark as the updates are for iOS 6.x and 7.x only. So any device that can only run on iOS 5 or lower might not be supported.
So I thought these devices would be unsupported, but found out an iPad 1st generation would pass the gotofail.com test.
So if you have any of these, please let me know if they fail or pass:
- iPhone 3 or earlier,
- iPod Touch 3rd generation or earlier,
- iPad 1st generation: passes.
Please watch any security announcements carefully with using Apple equipment, as the bug can highly facilitate a man-in-the-middle attack.
Some other site with background information (it hit the news wildly):
- Apple OSX Mavericks 10.9.x SSL Key Exchange Verification Vulnerability (CVE-2014-1266) | SektionEins GmbH.
- National Vulnerability Database (NVD) National Vulnerability Database (CVE-2014-1266).
- Here are some of the apps which rely on the vulnerable Apple gotofail SSL library beyond Safari….
- Apple’s ‘Gotofail’ Security Mess Extends To Mail, Twitter, iMessage, Facetime And More – Forbes.
- Apple promises fix ‘very soon’ for Macs with failed encryption | Reuters.
- Reasons for delay in SSL fix to OS X unclear as a single line of code found responsible | 9to5Mac.
- Apple patched a major SSL bug in iOS yesterday, but OS X is still at risk | 9to5Mac.
- Apple Planning Fix for OS X SSL Bug as New Research Reveals iMessage, Other Apps Affected – Mac Rumors.
- Apple Fixes Dangerous SSL Authentication Flaw In iOS – Slashdot.
The cause is some unreachable code because of the combination of a copy/paste failure, and the absence of curly braces around single-statement then/else blocks as explained for instance by ImperialViolet – Apple’s SSL/TLS bug.
Of course, jokes could not stay out for long, like the T-Shirt on the right (and many others) and the conspiracy about Apple and NSA.
But also practical tips:
- How’s My SSL?.
- Tip of the day: Detecting unreachable code is easy with #AppCode. Can your IDE do the same?
- Apple’s SSL/TLS bug : programming; gcc needs the -Wunreachable-code to detect this bug, as -Wall does not enable all warnings.
- ImperialViolet – Apple’s SSL/TLS bug.
- I TOLD You Gotos Are Dangerous!.
Edit: indeed, iOS releases in the 6.x and 7.x trees were vulnerable including Apple TV:
- About the security content of Apple TV 6.0.2.
- About the security content of iOS 6.1.6.
- About the security content of iOS 7.0.6.
–jeroen
The Wiert Corner - irregular stream of stuff 
Apple’s #gotofail weekend – Ashkan Soltani. « The Wiert Corner – irregular stream of stuff said
[…] When using Apple Hardware, be prepared for security updates. iOS already there, OS X and others will… […]