Researchers at the security firm Crowdstrike and elsewhere who reverse engineered Apple’s security update say that it reveals a security flaw not only in Apple’s iOS mobile operating system, but also in its desktop OSX software, despite the company’s only releasing a security update for mobile users. The vulnerability, nicknamed “gotofail” by researchers after a flawed “goto” command in Apple’s code that skips an authentication step, allows an attacker who controls any network to which a device connects to hijack their traffic and redirect or modify it, and may have persisted in Apple’s devices for months before being discovered.
“This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server,” write Crowdstrike’s researchers. The bug also “give[s] them a capability to modify the data in flight (such as deliver exploits to take control of your system).”
Researchers are warning that the flaw seems to affect Safari, rather than Chrome or Firefox, so switching browsers may offer a partial workaround for the vulnerability. I tested several browsers against a proof-of-concept demonstration of the bug recommended by several security researchers at gotofail.com and found that Safari was in fact vulnerable to the attack, while Chrome and Firefox appeared to be unaffected. But the test shouldn’t be seen as definitive, and the impact of the flaw goes beyond browsers. Security researcher Ashkan Soltani has found that it may affect Apple’s Mail application as well, according to Ars Technica.
The flaw allows communications to be so effectively eavesdropped or corrupted that some in the security community are speculating that it may have been a purposeful backdoor implanted to offer access to the NSA or others. But Google security staffer Adam Langley writes in his in-depth analysis of the bug that it’s more likely an unfortunate accident. ”This sort of subtle bug deep in the code is a nightmare,” he writes. “I believe that it’s just a mistake and I feel very bad for whomever might have slipped in an editor and created it.”
I’ve contacted Apple for comment, and I’ll update this post as soon as I hear from them. The company tells Reuters that it plans to release a second patch for OSX “very soon.” In the meantime, German security firm Sektion Eins has released its own patch for the flaw, though like any unofficial patch it’s not clear how effective it may be in solving the issue or what other side effects it may incur for users.
Until Apple releases a patch of its own, users should update their iOS devices to the latest version, users Chrome and Firefox rather than Safari, and try to avoid untrusted networks.
Follow me on Twitter , email me, anonymously send me sensitive documents or tips , and check out the new paperback edition of my book, This Machine Kills Secrets: Julian Assange, the Cypherpunks, and Their Fight to Empower Whistleblowers.