Dear Apple, FIX YOUR SHIT. Much love, Me <3

Okay, so iOS 7.0.6 happened – the short version is that Apple broke SSL. Oops. Oh well, it happens, apply the patch yadda yadda yadda.

What didn’t happen was the corresponding OS X patch. At least not yet.

WHAT THE EVER LOVING F**K, APPLE??!?!! Did you seriously just use one of your platforms to drop an SSL 0day on your other platform? As I sit here on my mac I’m vulnerable to this and there’s nothing I can do, because you couldn’t release a patch for both platforms at the same time? You do know there’s a bunch of live, working exploits for this out in the wild right now, right? Your advisory is entirely focussed on iOS so we know nothing of OS X yet (other than the fact that the exploits work) – could you tell us what in OS X is vulnerable? Is vulnerable? Should I be worried about malicious SSL/TLS mailservers? How about your update system itself – is that vulnerable?

Come the hell on, Apple. You just dropped an ugly 0day on us and then went home for the weekend – goto fail indeed.




Love and hugs as always,

Me <3

Be Sociable, Share!

19 Responses to Dear Apple, FIX YOUR SHIT. Much love, Me <3

  1. Pete says:

    So I half agree with you about this post.

    1.) It is bullshit that they couldn’t cut a patch for OS X 10.9

    2.) We’re not helpless!

    The NSS based browsers are *not* vulnerable so you can use them e.g. chrome and firefox as an alternative in the mean time. It’s not great but it’s a start.

  2. Eric says:

    You can take one measure: don’t use Safari.

    This vulnerability is endemic to Safari, but other browsers, as they use different SSL libraries, are not vulnerable to it.

    So use Firefox or something instead and you’ll be OK until Apple gets their act together.

  3. Kristin says:

    Alternate browsers are a workable stop-gap for the web aspect, sure, but how about How about the iTunes Store? How about any other parts of the OS that are using the same vulnerable code that we probably don’t know about? Very sorry but it’s patch or GTFO.

    • Andy Osira says:

      Perhaps the folk above just use their macs for surfing ?!
      Never mind, rest assured some of us get the seriousness of your point…
      FWIW this explains a few odd hacks I’ve seen over last two years where all other possibilities have been discounted ….
      On the plus side, Siri on my iPad is enjoying me dictating emails to it whilst I wait to see whether it’s safe to return to my mac.

  4. […] THE EVER LOVING F**K, APPLE??!?!!” wrote former Apple security researcher Kristin Paget in a post on her personal blog Sunday. “FIX. YOUR. […]

  5. Ramon says:

    Using Chrome doesn’t avoid the problem, I think the worst part of it all that Apples own update-system is vulnerable to the attack

  6. Benjamin Randolph says:

    Great “letter”. You made me laugh this morning.

  7. CptnWsdm says:

    This would be an excellent day to give your sweet little Mac a day off. Apple Shut Down, and let her rest till all this blows over — perhaps tomorrow. :)

  8. CptnWsdm says:

    On the other hand, if you were cautious, and still don’t have Mavericks installed, then by all means work/play away!

    • fred says:

      So I just read this in The Guardian

      “Note that Apple isn’t offering an update to iOS 6 for devices which can be updated to iOS 7 (iPhone 4, iPad 2, etc). For those, your only options are to update, or live dangerously.”

      This is why I hate Apple. Not allowing me to run a safe back-level version of one of their operating systems. Frankly I would not put it past them to do this sort of stuff just to scare recalcitrants like me into ‘getting with the program’ and upgrading to iOS7 (which I have no other need or desire to do). Why would I want to run a back-level version of an Apple operating system, you ask? I also read this:

      “If you’re using a Mac on an older OS version, ie 10.8 (”Mountain Lion”) or earlier, you’re safe.”

      Yep – that’s me. Safe. Running 10.8.2 and perfectly happy. No need to fix what aint broke – but then Apple go and break it on purpose. Over and over again. (iTunes 11, I’m looking at you. Plenty of other examples, too.) ALWAYS BE CAUTIOUS!

  9. Braden says:

    Apple’s own update system is vulnerable in letter but not in spirit. By that, I mean that although the TLS connection is vulnerable, the TLS connection was only added recently (10.8 or 10.9), and it only protects metadata. The content of the update is signed with Apple’s root CA.

  10. MaxxD says:

    Yes, is vulnerable:

    otool -L /Applications/ |grep 55471
    /System/Library/Frameworks/Security.framework/Versions/A/Security (compatibility version 1.0.0, current version 55471.0.0)

    Chrome is not affected. (use to check your browser)

    I scanned a fairly freshly installed Mavericks and found 37 vulnerable apps including iWork, Software Update, Twitter…

    • Steve says:

      What happens if, for example, the output from otool (after the patch) run against shows 55471.0.0? That seems bad. Other apps, such as now shows 55471.12.0 .

      • MaxxD says:

        Since the Security Library is “shared” most apps will not keep their own copy. For example, the new with 10.9.2 was rebuilt against the new patched version of Security.Framework, but Numbers was not. However, Numbers will still use the new framework because it does not keep a private copy, even though it was last built against the vulnerable one. (Of course, this means that apps that were previously built against a “safe” version started using the vulnerable version when it was installed.)

        So, to amend, change the grep to “|grep -i security.framework” — this will tell you if the app in question uses that framework at all because, if it does, it was vulnerable regardless of which version it was initially compiled against.

        This defect has been around for around almost a year, so any app that used that framework over the past year may have leaked credentials. I would certainly change your Apple ID, and any other credentials that may have been passed around by any app using that framework.

        Chrome and Firefox use their own, private versions of SSL (not Security.Framework), which is why they were safe to use even prior to the patch.

  11. […] Love this letter in regards to the SSL bug Dear Apple, FIX YOUR SHIT. Much love, Me | Kristin Paget's Blog […]

  12. Eric P. says:

    I thought it was worth pointing out that since the original public release of this bug it has been confirmed in iOS 6. something back to Sept. 2012.

  13. Schwarzmaler says:

    Can’t agree more. This was just unprofessional. Shine the light to a really broken serious error, and go into the weekend. Thanks god 10.9.2 is out, finally.

  14. Eric P. says:

    I think the shit that needs fixing wasn’t the bug but 1) the QA that didn’t catch this for 18+ months and 2) the corporate attitude that it is ok to go home with such a large 0-day