Feb 23, 2014 // Andrew Stroup
On Friday, a patch for iOS was released (7.0.6) to fix a long standing bug (not to the public) that allows a straightforward way to intercept and decrypt SSL/TLS communications. SSL/TLS is used for secure transfer of information, often seen in secure websites like banks and e-commerce websites where sensitive information like credit card data is handled.
Good for Apple, right? Well it would be, if not for the following two reasons: 1) there is still no fix available for OS X, meaning all Apple hardware running OS X still remains vulnerable and 2) this issue has been apparently known by Apple for some time.
Specifically, the error was an extra “goto fail;” statement on line 632 that allows SSL signature verification to always succeed for specific common configurations. More details can be found on Adam Langley’s (from Google) personal blog.
To show the gravity of the bug, Apple even released an update to iOS 6 for iPhone 3GS and 4th generation iPods. The official update for iOS 7 capable devices is 7.0.6. From the limited information provided, there are no updates planned for previous versions of OS X (prior to 10.9 Mavericks), indicating that the bug may not have been present until the recent update to the operating system.
While the world waits for an official release for OS X 10.9 (Mavericks), Stefan Esser has released an unofficial patch for the bug, which should not be explored unless a user has significant experience working with code. Based on reports by Reuters, Apple is noting a fix for OS X is currently being tested and will be released “very soon”.
Apple hasn’t released a lot of information regarding the bug, including how it was discovered. There are speculations that it could have been through an internal code review or presented to Apple by a third party. Clarity on the source of the reported bug will simply be speculation until Apple provides more details regarding the issue.
How did no one catch this bug until now? The code has been open source for over a year and has been seen by people inside and outside of Apple. Digging a little deeper, using Clang 3.3 from Xcode with the -Wall option (enables all warnings), no errors are caught. However, with -Wunreachable-code (noted by Peter Nelson) and -Weverything (noted by Mark Janssen) the bug can be found, but shows the confusing nature of using the code review tools, even by experts.
What’s next? The most ideal outcome is for a patch for OS X to be released today to resolve any outstanding issues for Apple users and then a full disclosure of how the bug was identified and a clear path forward for future internal code reviews by the Apple development team. This type of error is bound to happen in any code review and production release, but correcting the processes around the issue so further errors and bugs do not occur is the best way to continue moving forward and maintaining trust by users.
