iPhone and OS X Users Beware, All Your Data Is Public (eg. When at your fav Starbucks)


Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2146

Apple released an important patch today to prevent potential interception and manipulation of encrypted connections. The bug had been introduced almost 6 months ago, the security community believes this is a backdoor deliberately introduced by one of the Apple’s engineer.
EDIT:The patch is so far only available for iOS 7.0.6 but OS X 10.9.1 is still vulnerable.Mac users: DO NOT use Safari and other applications that are potentially using the OS X SSL/TLS libraries until a patch is available ! iPhone and iPad users: Update immediately to 7.0.6 !
EDIT2: 23rd Feb, 2014: You can check if you are vulnerable by going to www.gotofail.com.
EDIT3: 23rd Feb, 2014: Stefan Esser released an unofficial patch for the vulnerability on Mac OS X.
EDIT4: 23rd Feb, 2014: I added a comparison between different compilers.
EDIT5: 23rd Feb, 2014: My kiwi friend recommended me to change the title from “SSLVerifySignedServerKeyExchange() a.k.a. The “goto epicfail;” bug”.
EDIT6: 25th Feb, 2014: Apple finally released a patch for OS X.

Today, Apple released an important patch for iOS CVE-2014-1266 where Secure Transport (SSL/TLS) failed to validate the authenticity of “secure” connections. This issue was addressed by restoring missing validation steps. This translates as potential man-in-middle (interception and manipulation of encrypted data) weaknesses as highlighted by Apple “An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS“.

The bug: goto fail;

As pointed out by pencilo on Hacker News few hours ago, Apple introduced a bug in the SSLVerifySignedServerKeyExchange() function. Stefan Esser later pointed out on Twitter that the bug seemed to have been introduced recently because the bug wasn’t present in OS X 10.8.5 (October 3, 2013) but is in 10.9.1 In order word, this bug lasted almost 6 months for iOS, and is hopefully gonna be patch in OS X 10.9.2 next week.

  1. span class=”coMULTI”>/* plaintext */
  2.                        dataToSignLen,     /* plaintext length */"SSLDecodeSignedServerKeyExchange: sslRawVerify "
  3.                     "returned %d\n"

The bug is actually a duplicated “goto fail;”. For most of programmers, this is really a bit hard to believe that a such bug had been unintentional introduced and is the result of an “error mistake”. We (security researchers) are already expecting denials from Apple PRs.

Best-practices of compilation. A Comparison between different compilers on different platform.

One of the main reason this is hard to believe is that this is an easy mistake to catch for modern compilers, since all moderns compilers do have a “Treat warnings as errors” and “Catch all warnings” options.

Both Gccand Clang compilers do have compilations options to catch basic mistakes such as unreachable code as warnings but also to treat warnings as errors to prevent compilation if existing “warnings” had been detected in the code. EDIT: GCC do not have an option to detect unreachable code anymore!

EDIT:

Compilers Option Description
Visual Studio /WX Make all warnings into errors
Visual Studio /Wall This enables all the warnings. Including unreachable code.
GCC -Werror Make all warnings into errors
GCC -Wall Enables all the warnings about constructions that some users consider questionable, and that are easy to avoid (or modify to prevent the warning), even in conjunction with macros.. *NOT* including unreachable code.
-Waddress
-Warray-bounds (only with -O2)
-Wc++11-compat
-Wchar-subscripts
-Wenum-compare (in C/ObjC; this is on by default in C++)
-Wimplicit-int (C and Objective-C only)
-Wimplicit-function-declaration (C and Objective-C only)
-Wcomment
-Wformat
-Wmain (only for C/ObjC and unless -ffreestanding)
-Wmaybe-uninitialized
-Wmissing-braces (only for C/ObjC)
-Wnonnull
-Wopenmp-simd
-Wparentheses
-Wpointer-sign
-Wreorder
-Wreturn-type
-Wsequence-point
-Wsign-compare (only in C++)
-Wstrict-aliasing
-Wstrict-overflow=1
-Wswitch
-Wtrigraphs
-Wuninitialized
-Wunknown-pragmas
-Wunused-function
-Wunused-label
-Wunused-value
-Wunused-variable
-Wvolatile-register-var
GCC -Wextra This enables some extra warning flags that are not enabled by -Wall. *NOT* including unreachable code.
-Wclobbered
-Wempty-body
-Wignored-qualifiers
-Wmissing-field-initializers
-Wmissing-parameter-type (C only)
-Wold-style-declaration (C only)
-Woverride-init
-Wsign-compare
-Wtype-limits
-Wuninitialized
-Wunused-parameter (only with -Wunused or -Wall)
-Wunused-but-set-parameter (only with -Wunused or -Wall)
GCC -Wunreachable-code Warn if the compiler detects that code will never be executed. This option was present up to GCC 4.4 but was later removed as stated here from a 2011 post: http://gcc.gnu.org/ml/gcc-help/2011-05/msg00360.html
Clang -Weverything (Clang only) Higher level than -Wextra. This enables all warnings which seems to also include -Wunreachable-code as pointed out by Peter Nelson and Adam Langley. Clang also has UnreachableCodeChecker.cpp present as part of its Static analyzer.

Here is an basic example of a similar bug on Windows using Visual Studio 2012 copmiler with the following options: /W4 or /Wall (Catch all warnings) and /WX (Treat warnings as error).

  1. span class=”st0″>"Reachable code\n""Unreachable code.\n""BuggedFunction(%d) = %d\n", argc, Err);
  2. }

If you are trying to compile the code above with the options mentioned above, you will get the following errors reported by the compiler and this would prevent the compiler to complete its task until the programmer manually fixes those errors.

1>------ Rebuild All started: Project: gotofail, Configuration: Release Win32 ------
1>  gotofail.c
1>  Generating code
1>c:\users\msuiche\documents\visual studio 2012\projects\gotofail\gotofail.c(27): error C2220: warning treated as error - no 'executable' file generated
1>c:\users\msuiche\documents\visual studio 2012\projects\gotofail\gotofail.c(27): warning C4702: unreachable code
1>LINK : fatal error LNK1257: code generation failed
========== Rebuild All: 0 succeeded, 1 failed, 0 skipped ==========
Conclusion: Human mistake ?

As I said above, this means Apple either does not use proper compilation options to enforce the security of its products, or that someone deliberately disabled them for this module to be able to enable this bug that would normally not even exist in 2014, especially if you are a company like Apple… This is a fail on so many levels from an engineering point of view, on the developer side, on the code review side, on the poor compilation tools used and on the Q&A side supposed to catch those kind of regressions.

One thought on “iPhone and OS X Users Beware, All Your Data Is Public (eg. When at your fav Starbucks)

Comments are closed.