Apple releases security fix for “gotofail”

Apple has finally rolled out a fix for the security vulnerability on Mac OS X. The security flaw, which has come to be known as “gotofail” allowed for a man in the middle attack on unsecure networks. The attacker would be able to send a fake verification to the client, and potentially hijack traffic. Some of the affected apps were iMessage, Mail, and Facetime.

The issue lay hidden in Apple’s SSL implementation, where apparently a goto statement had been used improperly, resulting in the security issue. This fix comes not long after a similar fix was distributed last Friday for the same problem on iOS devices.

Apple has received criticism for two of their choices made on handling this issue. When Apple first admitted there was an issue, they had no fix readily available for OS X. Secondly, once a fix was found, Apple decided not to release it immediately, but wait and bundle it with the 10.9.2 release. Furthermore, Apple did not mention this security update in the patch notes.

Sources:

http://www.forbes.com/sites/andygreenberg/2014/02/25/apple-patches-its-gotofail-security-bug-for-osx-after-four-days-of-heckling/

http://www.reuters.com/article/2014/02/25/us-apple-security-idUSBREA1O1Q820140225

Advertisements

One thought on “Apple releases security fix for “gotofail”

  1. I think that with security issues such as this, it should have been addressed and patched as soon as Apple had a patch ready. I understand Apple’s logistics with their updates, but with a security issue like this they should have made it a priority to fix it as soon as possible.

Comments are closed.