48.2 F

Davis, California

Saturday, March 2, 2024

Attention Apple device users: Bug in Apple’s security code

For all of those Apple device users — be it iPhone, iPod, iPad or Mac — a recent software update was made available that fixes a critical security protocol and ensures the integrity of online information. With this hole in your operating software, which has existed since iOS 6, hackers could potentially access confidential information such as passwords, bank accounts and pretty much any other form of private data accessible via your device. If you have not updated your Apple devices recently, we recommend to do so as soon as possible.

The patch came through for iOS; meaning iPhone, iPad and iPod on Feb. 21. Yet the bug applied to the Macintosh OS X platform as well, and Apple waited until Feb. 25 to provide the necessary software patch for their Mac users. With the flaw in their source code well acknowledged by the iOS update and the delay in OS X, Apple has since been scrutinized for their lack of promptness in fixing such a large hole in security.
The programming code which contained the fatal error is presented here:

if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
goto fail;
goto fail;

This section of code is called when an Apple device connects to an encrypted site, and it is supposed to authenticate the identity of the website the user is attempting to visit. Imagine typing in your bank website, and a false web page is displayed instead; where this function should verify the sites encryption key, it does not. The real bug is in two words of the included code, “goto fail;,” more specifically the second one that appears.

For anyone who has taken introductory computer science classes, the problem should be fairly obvious. Apple made a very low-level mistake in a very important section of their code. The command, “goto fail;” effectively jumps to a different place in the code.

The first “goto fail;” is correct and acts as a vital security check, but the second is a typo that is not attached to the “if-statement” above. What this code does is perform a check which may proceed to the first “goto fail;” being initialized, but if it is not, then the function exits the “if-statement” and runs the second “goto fail;” regardless of any check. The way this code is written means that it will “goto fail;” every time, completely skipping over the remaining security checks in the function.

Those concerned with their internet security may visit Gotofail.com using Apple’s Safari browser to test if your device is in need of updating.


Please enter your comment!
Please enter your name here