Galaxy Watch 5 Review Specialty Foods Online 'She-Hulk' Review Disney Streaming Price Hike Raspberry Girl Scout Cookie $60 Off Lenovo Chromebook 3 Fantasy Movies on HBO Max Frontier Internet Review
Want CNET to notify you of price drops and the latest stories?
No, thank you

Apple finally fixes 'gotofail' OS X security hole

After a multiday delay that irked users, Apple has released a system software update for OS X Mavericks that fixes what's become known as the "gotofail" security vulnerability.

An excerpt from Apple's published source code. Note the repeated "goto fail" lines.
An excerpt from Apple's published source code. Note the repeated "goto fail" lines.

Apple has finally fixed a serious OS X security vulnerability that had left millions of users exposed to potential eavesdropping or account hijacking.

In a terse note this morning accompanying a system software update, the company acknowledged that "an attacker" could "capture or modify data" transferred with Safari, Mail, iCloud and other Apple-created applications even though the communication streams were supposed to be securely encrypted.

The security vulnerability quickly became known as the "gotofail" bug after a review of Apple's publicly posted code showed an errant duplicate statement created the glitch. Apple previously released a fix for iOS devices Friday.

By not releasing the iOS and OS X fixes simultaneously, Apple left laptop and desktop users vulnerable during that time -- and security experts aghast at the company's delays. Ryan Lackey, a longtime Apple user who founded CryptoSeal, said on Twitter yesterday that: "Whoever at Apple decided to wait 4+ days for 10.9.2 to patch the OSX vulnerability needs to no longer be in that position."

The security vulnerability arose out of Apple's custom implementation of a security standard known as SSL/TLS. By including the "goto fail" line twice in a row, the normal error check for some types of encryption signatures fails.

It did not, however, affect software that does not rely on Apple's custom implementation of SSL/TLS. Google's Chrome and Mozilla's Firefox browser, for instance, do not have this vulnerability.

This is not merely a hypothetical security hole. Aldo Cortesi, a New Zealand security consultant, posted a version of the mitmproxy utility that gives access to encrypted traffic when, he said, the computer is using "Apple's broken implementation" of SSL/TLS. Cortesi added: "It's difficult to over-state the seriousness of this issue. With a tool like mitmproxy in the right position, an attacker can intercept, view and modify nearly all sensitive traffic."

Adam Langley, a Google software engineer who has worked on Chrome's network stack, wrote in a blog post that: "Since this is in SecureTransport, it affects iOS from some point prior to 7.0.6 (I confirmed on 7.0.4) and also OS X prior to 10.9.2 (confirmed on 10.9.1)."