Worms in Apple...again

Thanks to mobile devices, Apple has gone from a niche computer-maker to one of the world's more powerful brands. But has Apple security sunk to new depths?

An article in Forbes Magazine refers to "Apple's deafening silence" on a security flaw that was exposed last week. Known as "GoToFail", the bug allows "man-in-the-middle" encryption-compromise on Apple's iOS and OS X computing platforms. But while Apple issued an update for iPhones and iPads last Friday, as of this writing there's still no patch for OS X. Worse yet, Apple didn't send a warning to its users--it's been left to tech journalists and security researchers to inform the Mac-using public.

Security experts respond

UK-based security guru Graham Cluley has sound advice for Apple users: "Install the update on your iPhone or iPad by visiting Settings/General/Software Update," advise Cluley in a blog post. "But iOS's cousin, Mac OS X, is also vulnerable to the same shocking privacy flaw. And there is no fix for those affected desktop and laptop computers yet," wrote Cluley.

Security technologist Runa Sandvik said in the Forbes article: "Apple dropped a [zero-day exploit] on users at 4:00 PM on a Friday and has not yet made any statements about when OS X users can expect a patch. "When Apple disclosed the iOS bug, they did not mention how long the bug has been around for, how/when it was discovered or affected iOS versions. It was then independent security researchers who discovered that the same issue also affects OS X users."

Sandvik created a website called "Has GoTo Fail Been Fixed Yet?" where you can check your setup. Meanwhile, avoiding unencrypted public Wi-Fi networks is a good idea. Chrome or Firefox are better browser-choices than Apple's Safari at the moment, and many recommend disabling Apple background services like the email client Mail, and iCloud services.

In short, if you're using OS X, turning off Apple's online software/services seems like good security practice. Does anyone see anything wrong with this picture?

Shoddy workmanship

"I can't blame Apple for the SSL bug, but their response has been pretty awful," tweeted ACLU security technologist Chris Soghoian.

"Unlike Soghoian, I actually DO blame Apple for this bug," said security researcher Richard Stagg, managing consultant at Hong Kong-based Handshake Networking. "A compiler should spot unreachable code and throw warnings. Static source code audit likewise should detect this type of glitch and raise an alert," said Stagg.

He also brings up the obvious: "A company with practically unlimited resources like Apple, working on highly critical code relating to encryption, should have gone over this with a dozen fine-tooth combs. Did they not even have a testing process to simulate a man-in-the-middle attack?"

"Apple have way too many dollars to get a free pass for any kind of skimping on development processes," says Stagg, and he's right. While the company makes handsome profits on its line of iDevices, many people get their work done on Macs--are we to assume that the mobile OS is a priority as that's been patched while OS X twists in the wind waiting for a fix?

"Let's hope that Apple pushes out a fix soon for Mac OS X users, and that their testing will be more extensive in future to avoid such serious bugs shipping in future," wrote Cluley. It's only right that a company as wealthy and resource-rich as Apple fine-tune their software, issue patches promptly, and inform its users.

Join the CSO newsletter!

Error: Please check your email address.

Tags Applesecurity

More about AppleForbes MagazineMacs

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stefan Hammond

Latest Videos

More videos

Blog Posts