When will Apple get serious about security?

When will Apple get serious about security?

Summary: The tech community (and beyond) is an uproar over the recently revealed iOS and OS X SSL/TLS code flaw. Apple developers have questions about Apple's commitment to quality and the flaw itself.


Apple on Friday pushed out an iOS fix for the SSL/TLS bug. The concerns of the Mac community shifted to the then still-missing patch for OS X. An Apple spokesperson said the fix was due very soon. That "soon" didn't arrive on the weekend. Maybe Monday.  

When will Apple get serious about security?

Several Apple developer bloggers offered comments about the issue. Michael Tsai pointed out that this is a Mavericks problem and for developers, a problem in the various seeds of upcoming versions in the hands of developers.

You can test whether your device is affected at gotofail.com or imperialviolet.org:1266. At this writing, Mac OS X 10.9, including current seeds, is still vulnerable. iOS 5 and Mac OS X 10.8 never had the bug. It’s fixed in iOS 6.1.6 and iOS 7.0.6.

The problem line is an extra goto fail; that appears to be a simple copy/paste error. My guess is that the author may have used a multiple copy command and forgotten about the extra goto.  Tsai points to a very funny comic about goto by Randall Munroe on his XKCD, webcomic of romance, sarcasm, math, and language.  Tsai doesn't blame the programmer as much as the testing process.

The offending line of code is a single extra goto in SSLVerifySignedServerKeyExchange(). In my view, this is not an improper use of goto. The code follows a standard C error handling style. I’m also unpersuaded by the argument that the bug should be blamed on brace format preferences.

Any of us could have written a bug like this, especially when merging changes from different sources. But a flaw in process is what let the bug ship. If ever there were code that should be unit tested, it’s Secure Transport. Landon Fuller shows that it would have been easy to write a test to detect this regression.

However, Lloyd Chambers at The Mac Performance Guide said it's continuing evidence of "core rot." He's had a special report up on the subject for quite a while. Chambers says that Apple appears to have plenty of engineers for "eye candy," as well as, for screwing up usability, but not for security and testing.

In an age where millions of always-on devices are at risk, you don’t screw up fundamentally critical things like this. It’s one reason I abhor gatekeeper type services like the Apple App Store: one screwup and the entire system is at risk worldwide for tens or hundreds of millions of devices. I wrote about this months ago, and while some readers poo-pooed my remarks as alarmist, I repeat that warning even more emphatically now.

To Chambers, an advocate of open-sourcing, the answer is to open the code up for wider inspection. The more eyes the better. But that's not the Apple way. He's also concerned about Apple's lack of quick communication to its user base. For example, what about non-Apple browsers running on OS X?

It’s not clear at all if use of Google Chrome or Mozilla Firefox avoids the security issue, but Apple kicks Mac users in the teeth by not IMMEDIATELY making that point clear (so users can avoid Safari). Apple should be on paid television telling users exactly how to safeguard their internet use, how to play it safe. It’s unconscionable. The core rot extends to ethics apparently.

Good points. However, I suggest that Apple's top brass and corporate culture hasn't caught up to the demands of its new role as a market leader. A number of years ago, I noted that Apple's software engineering team was stretched to the limit by the release cycles of Mac OS and iOS. Engineers spent their energy working on one "side" (iOS) while bugs went unfixed on the Mac side. The software engineering was stretched thin. I was told that engineers with considerable experience on critical APIs were redirected to other projects, while their previous work was left fallow or in the hands of inexperienced replacements.

Apple's closed system keeps most OS X and iOS users safe. And there's still a modicum of safety from the neglect of malware writers; most phishing attacks are done for Windows users. Still, the key to Apple's strategy is that it can always execute on its OSes and applications. If it doesn't, then we all sink together.

Topics: Apple, iOS, Operating Systems, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • When will ZDnet quit with the Anti Apple Rhetoric ?

    • The rhetoric is appropriate in this case

      and as Apple's Mac based customers, we should be turning our ire on the people who made our defective OS, not people rightly pointing out Apple's irresponsibility!

      I'm not an Apple shareholder. I use their products because I think they're good, and enjoy their approach. When they fall short of those reasons I've selected their products, I darn well reserve the right to say so!
      • Re: The rhetoric is appropriate in this case....

        There is probably some merit in what you say however I am starting to lose count on the number of articles that have been floated here relating to the SSL/TLS issue and OS X.
        Its not that its not serious. Its more about making the most of the ammunition in relation to an Apple product.
        I am utterly certain Linux or the other proprietary platform would not be dealt with so harshly and in the real world such rhetoric would most likely be deemed corporate slander.
      • Nope

        There is merit in criticizing Apple on this, and their testing for sure. But the hysteria is just hilarious. Windows is vulnerable for over a decade (finally getting it mostly right in Windows 7) and the tech world gives them a pass. Apple patches it pretty darn quick on iOS and soon in OS X (we've bee expecting an OS X update to drop any day now).

        But the opportunistic low-lifes who thrive on stirring up nonsense about Apple finally have a shred of a credible criticism, and they are milking it for all they can.

        To summarize, yes, criticize Apple for this big mistake. No, don't feed the trolls.
        • Agree; Apple is pretty serious about security; never allowed any big-scale

          ... security breaches, quickly fixes discovered bugs.
  • When it looks and smells exactly like Windows....

    When it looks and smells exactly like Windows.... However to be fair to ZDnet, they have written some great articles about the mac. Big headlines do attract readers. Perhaps they are trying to 'shame' Apple into a quick fix here. One thing that PC users should be grateful for is the fact that Apple is competition, and when their is competition in the market place, every body wins. Don't believe me, check out the LADA car from Russia back a few years, no competition, no improvements The car came complete with a toolbox!! I have always been grateful for the PC's, as the cheap computers you could buy in the Windows world eventually forced Apple to lower their prices. Remember original macs (the fisher price model), for 3,500 dollars?
    • Apple's security hopes to one day be as good as Windows...

      A quick fix? This exploit has been around since September..... of 2012. Mock Windows constant updates all you want, but Apple confused a lack of large scare viruses due to their relative size, with invulnerability, and are ill suited to catch and monitor security exploits let alone respond to them in the way windows has developed and fine tuned over the past decade of dealing with issues.
      • Yawn

        Spin Spin Spin
        Henry 3 Dogg
      • Yawn...

        "A quick fix? This exploit has been around since September..... of 2012."

        OK. I'll bite. Hive me any and all examples of this leading to an actual exploit, from real Apple users.
  • I actually do blame the idiot programmer

    GCC would have alerted with an unreachable code warning. You have to be pretty dense to turn compiler warnings off, and even more dense to check back into the repository/autobuild system without compiling it at least once yourself!
    • Not necesssarily

      Adam Langley says GCC 4.8.2 with -Wall didn't warn of it. It seems that in Clang and GCC there's a -Wunreachable-code that finds it, but it's not included in -Wall. Clang also has -Weverything that includes -Wunreachable-code but I don't see that in GCC.
      Larry Seltzer
  • Come on Apple! So glad I kept my old Win 7 laptop now.

    I do wonder just how likely the "average" user is to an attack from this stuff up really is, and whether we are all getting our knickers in a knot about how long the fix is in coming.

    Are there any actual reports of users of OSX being compromised by this vulnerability?

    Using another browser is not the answer while we wait, though the issue has been there for weeks we now discover.

    I've shut my mac down for now, and am using my trusty (now that I've done a complete reinstall) old Sony Vaio running Win 7 again until I hear that a fix from Apple is available.

    Meanwhile, I'm quite enjoying using Win 7 again. It actually does quite a few things better than OSX - though "the fix" can't come soon enough for me.
  • Re: So glad I kept my old Win 7 laptop now....

    And that is precisely what the ZDnet Microshills want to hear.
    • Frankly, it is a prudent thing to do

      using a Mac right now just isn't safe. Sure you can switch to Chrome, but TLS is also used in iMail, iMessage, and a whole host of other things. Anyone can play middleman and toss a proxy server on you and you would never know it.

      To be honest, I've done all my Internet on my tablet, and/or Windows, and will keep it that way til the fix comes out (either that, or I will fix it myself.)

      Understand that this is a serious computer security flaw. One of the worst I've seen. It is not safe in any way to use Safari, iMail, or the App Store's official Twitter client right now.
  • Who cares about an SSL flaw when you have Adobe Flash on you computer

    Zero-day exploits delivered in quantities, and all you get in the media are 3 lines about "Adobe updates Flash" ...
    • And...

      ...don't forget Java. Who's talking about that? And Flash? Flash, two updates in ONE DAY! And Apple gets raked over the coals for one thing.
  • Big Mac fan but...

    I have a house full of Macs (and a few Win machines as well), so I'm not exactly anti-Apple. But this major FU illuminates some problems I didn't know were there. First is the apparent fact that they're still using GOTO. That archaic method can easily branch around necessary cleanup and allow multiple side-effects to go undetected. Anyone who's actually given some thought to a code problem can easily find cleaner and more maintainable solutions to a problem. GOTO should have died with FORTran.
    Second appears to be some p*ss-poor code review practices. This may have been a last-minute tweak to code that had already been reviewed, but the code should have been locked and not touched after being reviewed. "One more thing" was a great idea for a Steve Jobs presentation, but it's usually a terrible mistake in coding.
    I enjoy most (not all) of the eye-candy aspects of OSX and as both a developer and content-creator I really appreciate the interoperability. But in this world, security reigns above all. Apple really dropped the ball.
    • How good is Apple's programmers?

      Have been neither a Apple fan or hater. Just feel Apple has not taken security as important as it should be. 18 months of "Goto" leads me to believe they really are not prepared to address these problems. Everyone gives Microsoft grief, but I don't see Google or Apple doing any better.
  • Apple has a problem

    I think Apple has a problem between security and its ability to make products that communicate well together. In many ways this is the same problem Microsoft had with Windows. They worked so hard to make things easy for users to install plugins and other programs with its active X. That it eventually was constantly forced to work on ways to keep it but patch all its holes. I believe Apple is now going through a similar maturity that making things work also can make things more vulnerable. Google has similar problems with Android and its probably why Chrome OS is so tied down. Mobile just appears to be the next step in where security attacks will take place.
  • Woah, woah, woah

    "To Chambers, an advocate of open-sourcing, the answer is to open the code up for wider inspection. The more eyes the better. But that's not the Apple way. "

    The SSL implementation is part of the _open source_ libsecurity. Apple fails. Open Source fails. goto fail.