Genii Weblog

Apple security hole - the one line of code myth

Tue 25 Feb 2014, 09:49 AM



by Ben Langhinrichs
The widespread reports of the hole in iPhones, Macs using Safari and so forth have taken to repeating the myth that the problem is the one line of code with the "goto fail" problem.

To be fair, it is a single line of code, so that is not a myth. The myth is that this represents the problem, that it was a typo (according to Wired), and that Out of all the million lines of code we run every day, this one happened to be printed twice and so forth, as if the coding error were the problem. It was not. Coding errors happen all the time. Typos happen all the time. If security depending on never making a mistake, we should shut down all our computers right now.

The problem was that it wasn't detected. Security errors are caught by trying to get past the security, and it seems like the painful simplicity of getting past this security should have been detected very early. Also, Apple's original statement said that this was one line in 2000 that handle SSL security. That same 2000 lines are copied many, many places, yet nobody seems to have done a code review of this critical part of code. Trust me, programmers looking through this code would not miss the double goto. It stands out like a sore thumb.

How am I so sure of all this? Why, because it has happened to me more than once with our software products. I added an extra semi-colon once that broke the CoexLinks security.  See the pseudocode below to see how easy that is:

/* Code that always drops through to the "do stuff" part */
if (test);
  {
  /* do stuff */
  }

/* Code that only drops through to the "do stuff" part if the test is successful */
if (test)
  {
  /* do stuff */
  }

Another time, I accidentally removed a return that broke the Midas security. But neither got released, because even though I don't have Apple's budget for security and QA and so forth, one thing I always do is try to use license files that are invalid, or get rid of the license altogether. It is incomprehensible to me that Apple would not try like crazy to break through SSL security each time before a release. The idea that they don't try harder to break their own security on a routine basis means that there may be many more subtle problems with their security. This one should have been a no brainer, yet it is widespread in Apple's products. It is the other defects that aren't so glaringly obvious that should scare the hell out of Apple users.

Copyright © 2014 Genii Software Ltd.

What has been said:


1057.1. Tanny O'Haley
(02/26/2014 12:13 AM)

That is why Q/A is so important. Errors happen and I'd rather internal Q/A find the problem than a customer.


1057.2. Ben Langhinrichs
(02/26/2014 09:31 AM)

Absolutely, Tanny. I can easily believe somebody made the mistake, but I am amazed that Apple's QA is poor enough that it has been released in multiple versions.