The "Goto Fail" and "Heartbleed" Bugs

Goto Fail

The Goto Fail bug, which first made the news in February 2014, made it so a server you connect to can pass your computer's authentication test without having the correct private key. It only affected certain Apple products that were relatively new at the time, meaning iMac desktop computers, MacBook laptops, iPads, iPhones, and even iPod Touch and AppleTV devices. Not vulnerable were all Microsoft Windows computers and laptops, UNIX or Linux computers and laptops, Windows phones, Android phones, and older Apple computers, laptops, and other devices.

The bug was caused by a copy/paste flub an Apple programmer made while writing code to confirm the identity of a server using SSL. The error resulted in an extraneous instruction of "goto fail", giving rise to the name of the bug. If you're a coder and you look at it, it's kind of funny in a nerdy way, but not really, because, as fate would have it, the bug makes it so someone could set up an impostor website and direct your computer to go to his website instead of the one you're trying to go to, and your computer would skip execution of the SSL authentication mechanism that shows you're not at the correct site. So, while you think you're on your bank's website, you're not. When you try to log in, your computer sends your password encrypted using SSL, but it goes to the thief's computer instead of the bank's, using the thief's encryption keys instead of the bank's. The thief can then unencrypt your password and log in to your account on the real bank website and steal your money. You could likewise give away your e-mail password if the thief impersonates your mail server; in fact, gaining access to your e-mail account might be juicier because so many websites allow you to reset your password through e-mail alone.

Fortunately, to know which impostor website to set up and where to do it, the thief would have to deliberately target you. And to direct your computer to his site instead of the real one when you type the address or click on your bookmark, he would need to have some capability of reconfiguring the network you're on (this is what Apple meant in their write-up on this bug when they said the attacker has to be in a "privileged network position").

If you're using your iMac at home accessing the Internet using a properly secured router and a legitimate Internet Service Provider, it's extremely unlikely anyone would exploit this bug. But, if you use public Wi-Fi (like the free wireless access at a coffee shop or hotel), anyone else on that network could plan and execute this ruse on you, and steal your password to your bank's website. Or, if you work at a business with substantial IT infrastructure, it would be even easier for anyone in the IT department with enough privileges on the network to take advantage of the bug if you use your iPhone or iPad on your company's Wi-Fi to access personal e-mail or banking websites.

Only the built-in Apple programs, such as the Safari web browser, the Apple Mail program, and iCloud, were affected. If you only ever used Google Chrome or Mozilla Firefox or Thunderbird to browse the web or access your e-mail on your Mac, then your exposure to this bug was minimal.

Given all that, we could safely say that no one's information was successfully captured through exploitation of this bug. Nevertheless, this is a disturbing bug to learn about, because a clever thief could do all this without your knowledge. Skipping the authentication essentially gives the data thief a free pass for not having the private key of the server he's trying to impersonate, which would otherwise always thwart him. For those who were already skeptical that the SSL system is truly secure, this certainly validates the fears of even the most irrationally paranoid.

Apple fixed the bug within days of discovery. To get the fix, you just need to update your system software.

On the iPad or iPhone, make sure you have iOS software version 6.1.6 or 7.0.6 (the versions quickly released to patch the bug), version 7.1 (a scheduled release that came out three weeks after 7.0.6), or version 8 or later. If you have any variant of iOS 6 except for 6.1.6, or iOS 7.0 through 7.0.5, you have the bug. Software version 5 and earlier did not have the bug.

Then there is the AppleTV, which has the bug as well on its software version 6. If you updated to software version 6.0.2, or to 6.1 or later, then you have fixed it.

Device	Status	Fixed Software Version
iPhone 3GS iPod Touch 4th Gen.	Vulnerable on iOS 6; cannot run iOS 7	6.1.6
iPhone 4 iPhone 4S iPhone 5 iPad iPod Touch 5th Gen.	Vulnerable on iOS 6 and iOS 7	7.0.6 or later
Black AppleTV   (2nd and 3rd Gen.)	Vulnerable on software version 6	6.0.2 or later
All devices not listed above	Not vulnerable	N/A

On an iMac or MacBook running OS X Mavericks, make sure you have version 10.9.2 or later. If you still have 10.9 or 10.9.1, you have the bug. If you have upgraded to OS X Yosemite (10.10) or later, or still use OS X Mountain Lion (10.8) or earlier, you do not have the bug.