Apple’s OS X security hole affects slew of apps, researcher claims

By Trevor Mogg Published February 24, 2014

It looks as if it’s going to be a busy start to the week for Apple’s security team, with more bad news surfacing in connection with a recently publicized ‘gotofail’ vulnerability in its mobile and desktop operating systems.

The tech firm on Friday rolled out an urgent fix for iDevices running iOS 7 after it was discovered it was possible for hackers to obtain a user’s data via a shared Wi-Fi network. Shortly after, it emerged the Safari browser on Mac computers was also affected, with Apple promising to roll out a fix soon.

Recommended Videos

The situation could be more serious than first feared, however, as a privacy researcher is claiming the bug affects a whole bunch of OS X applications, among them Mail, Twitter, FaceTime, iMessage, iBooks, and even Apple’s software update mechanism, Forbes reported Sunday.

Washington, DC-based Ashkan Soltani posted the list of vulnerable programs on Twitter, which, if accurate, means a hacker could potentially “capture or modify data in sessions protected by SSL/TLS” – in other words, data passing between a computer and servers over a shared network, such as public Wi-Fi, could be intercepted. The advice is to avoid using a Mac computer on such public Wi-Fi networks until Apple rolls out the fix for OS X.

Here are some of the apps which rely on the vulnerable Apple #gotofail SSL library beyond Safari /cc @a_greenberg pic.twitter.com/ombDOOa01A

— ashkan soltani (@ashk4n) February 23, 2014

The bug, which first came to light three days ago, has been dubbed ‘gotofail’ because of the single erroneously used ‘goto’ command in the tech giant’s code that caused it. Many in the security community have been puzzled by the apparent simplicity of the error, leading some conspiracy-oriented members to wonder if the code was a calculated move to create a backdoor for spy agencies. Apple, however, has always said it has never enabled backdoor access into any of its products.

Soltani, who describes himself as “an independent researcher and consultant focused on privacy, security, and behavioral economics,” has previously worked on behalf of the Washington Post, helping to analyze documents leaked by Edward Snowden.

[Image: Maksim Kabakou / Shutterstock]

Topics

Apple
Apple

Contributing Editor

Not so many moons ago, Trevor moved from one tea-loving island nation that drives on the left (Britain) to another (Japan)…

Mobile

Vital security update for Apple devices takes only a few minutes to install

iPhone 14 Pro Max in hand.

UPDATE: Just hours after rolling out the security update, Apple has pulled it after users began experiencing compatibility issues with Safari for sites such as Instagram and Facebook. If you've already installed the update, you can downgrade on iPhone and iPad by going to Settings, then General. Select About and then OS version. Finally, tap Remove Security Response.

For Mac, select the Apple logo top left and then System Settings. Next, select General, and then About. Under macOS, select the "i" (information) button located beside the OS version. Where it says Last Security Response, select the Remove & Restart button, and then Remove Response and Restart in the prompt.

Mobile

Have an iPhone, iPad, or Apple Watch? You need to update it right now

iPhone 14 Pro Max against a red background.

If you own an Apple product — be in the iPhone, iPad, Apple Watch, or a Mac — you should update it immediately. Why? Apple has begun rolling out updates to all of its devices with fixes for a serious security vulnerability.

The security vulnerability is known as CVE-2023-32434, and it has to do with the kernel privileges of Apple devices. Per Apple's website, the vulnerability allows third-party apps to "execute arbitrary code." In other words, if a bad actor knows how to exploit this vulnerability, they could potentially gain access to your Apple device and wreck havoc.

Mobile

WWDC 2023: everything announced at Apple’s huge event

As regular as the tides, Apple’s Worldwide Developer Conference (WWDC) has become a big and highly anticipated part of our calendar. As is usual, this year’s keynote announcements will include all the usual improvements for iOS, iPadOS, watchOS, macOS, and more — but this year is also different, thanks to the reveal of a brand new area for Apple, the Vision Pro headset.

The keynote was jammed full of content, as usual, and there's plenty to talk about. Here's a recap of everything Apple announced at WWDC 2023!
Vision Pro VR headset