Apple totally screwed up SSL with a fundamental bug in their certificate checking implementation in both MacOS 10.9 and iOS 7. Every consumer iPhone, iPad, and Macintosh running recent versions of their OS is vulnerable. My understanding is SSL certificate checking basically does not work and any secure site can be spoofed with a man-in-the-middle attack. It’s about as deep a flaw as it goes. There’s a patch for iOS out but not yet for MacOS. You can test if a browser is vulnerable here.

The bug boils down to a simple typo in the code, the good ol’ C gotcha that indentation doesn’t match control flow. Bugs like that happen in C. What’s alarming is Apple didn’t catch the bug; not with a lint tool, not in code review, not in unit testing, not in integration testing. No aspect of Apple’s software development process caught this bug before releasing it to millions of users. That’s terrible engineering practice; in a critical security library it’s outright negligence.

At the moment MacOS users are entirely vulnerable and there’s no fix. In the past Apple has taken many weeks to fix critical bugs in things like Java, hopefully they’ll be faster here. Using Chrome instead of Safari will insulate you from malicious web servers, Chrome wisely has its own SSL implementation. But a whole lot of other Mac software is relying on the broken certificate library, presumably including Apple’s own software update system.

Nice of Apple to publish the exploit before the fix.

  2014-02-22 17:09 Z