GotoFail: How to Patch a Flaw When Your Update Process is Vulnerable

We first heard about the GoToFail security hole in Apple’s iOS and OS X Mavericks operating systems on Friday when a patch was rolled out to close the SSL security flaw in iOS. News quickly followed that OSX Mavericks was subject to the same vulnerability that could allow prying eyes to view data that users thought was encrypted. But instead of the encryption routine protecting that data an errant line of duplicate code featuring a GoTo FAIL command essentially bypassed the SSL encryption process.

It’s now late Monday night CST here in the US and Apple has issued nothing further than a promise to fix the issue in OS X Maverick’s “very soon.” There’s no reason to doubt that Apple isn’t working hard to correct the issue, but this evening I ran across this intriguing tweet from Aldo Cortesi that certainly is fodder for the curious:



What Cortesi is alluding to is that Apple’s Software Update is one of a list of vulnerable Apps that folks are recommending that Mavericks’ users shy away from until the hole is patched. Again, I would imagine we’ll be hearing about a patch soon, but Cortesi raises quite a conundrum that I imagine someone at Apple has been thinking, and possibly sweating about these last few days. Keep in mind that the iOS update rolled out before we had heard much publicly about the type of vulnerability we now know exists.