Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Community > MacNN Lounge > Patched SSL flaw in iOS might also affect OSX

Patched SSL flaw in iOS might also affect OSX
Thread Tools
Thorzdad
Moderator
Join Date: Aug 2001
Location: Nobletucky
Status: Offline
Reply With Quote
Feb 22, 2014, 05:27 PM
 
On Friday, Apple released a critical patch for both iOS 7 and 6.

Ars Technica is now reporting that the same security flaw may be present in OSX 10.9.
     
reader50
Administrator
Join Date: Jun 2000
Location: California
Status: Offline
Reply With Quote
Feb 22, 2014, 07:04 PM
 
The flaw causes SSL keys to not be verified. Security test page. If you can load it, you are affected by the bug.

10.9.2 not affected (news reports)
10.9.0, 10.9.1 are affected.
10.8.5 not affected (sek929)
10.7.5 not affected (turtle)
10.6.8 / Safari 5.1.10 is not affected. Throws a verification error, refuses to load the page.
PPC 10.5.8 / Safari 5.0.6 is not affected. Throws a verification error, refuses to load the page.
( Last edited by reader50; Feb 25, 2014 at 04:58 PM. Reason: updated as info comes in)
     
turtle777
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status: Offline
Reply With Quote
Feb 22, 2014, 08:21 PM
 
10.7.5 is not affected.

-t
     
sek929
Posting Junkie
Join Date: Nov 1999
Location: Cape Cod, MA
Status: Offline
Reply With Quote
Feb 22, 2014, 10:16 PM
 
10.8.5 Refuses to load page
     
Thorzdad  (op)
Moderator
Join Date: Aug 2001
Location: Nobletucky
Status: Offline
Reply With Quote
Feb 23, 2014, 08:58 AM
 
From what I gather, if you are on 10.9, switching your browser to either Chrome or Firefox will mitigate the issue. However, there are other components of OSX that are affected as well.

On the iOS side of things, it looks like the fix is organized like this...
• If your iOS device is approved to run iOS 7, you must apply the 7-specific patch.
• If your iOS device is not approved to run 7, you must apply the 6-specific patch.

What this means is, if you have, for instance, an iPhone 4s and are still running iOS 6, the only way to fix this problem is to upgrade to iOS 7. You will not be given a chance to apply the 6-specific patch.
     
Cold Warrior
Moderator
Join Date: Jan 2001
Location: Polwaristan
Status: Offline
Reply With Quote
Feb 23, 2014, 12:58 PM
 
I have an iPhone 5 still on 6.x and yes, the only update option is 7.0.4, where I assume the next offer would be for 7.0.6. I took my 5s and both iPads to 7.0.6 as soon as this came out.

This is a huge flaw, it's ridiculous. How was this not caught immediately? It says a lot about apple's security testing--this should be an automated test, very simple, and this stuff should be checked every time.

It also makes me question the rigor of US government and Defense testing--they certified iOS 6. Seems like MitM / privileged network position should be high on the list of exhaustive testing.
     
ghporter
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Reply With Quote
Feb 23, 2014, 06:33 PM
 
The page loads in iOS Safari, but not in iOS Chrome. I'm going to apply the patch anyway, but I find that to be an interesting data point.

Glenn -----OTR/L, MOT, Tx
     
Cold Warrior
Moderator
Join Date: Jan 2001
Location: Polwaristan
Status: Offline
Reply With Quote
Feb 23, 2014, 06:55 PM
 
They use different code. Anything calling iOS and OS X code/module is going to be vulnerable. Chrome and Firefox use their own.
     
Hawkeye_a
Addicted to MacNN
Join Date: Apr 2000
Status: Offline
Reply With Quote
Feb 23, 2014, 07:08 PM
 
Originally Posted by reader50 View Post
The flaw causes SSL keys to not be verified. Security test page. If you can load it, you are affected by the bug
10.9.1 Safari loads, Firefox does not load
     
SSharon
Professional Poster
Join Date: Jan 2003
Location: Teaneck, NJ
Status: Offline
Reply With Quote
Feb 24, 2014, 12:52 AM
 
Originally Posted by Thorzdad View Post
From what I gather, if you are on 10.9, switching your browser to either Chrome or Firefox will mitigate the issue. However, there are other components of OSX that are affected as well.

On the iOS side of things, it looks like the fix is organized like this...
• If your iOS device is approved to run iOS 7, you must apply the 7-specific patch.
• If your iOS device is not approved to run 7, you must apply the 6-specific patch.

What this means is, if you have, for instance, an iPhone 4s and are still running iOS 6, the only way to fix this problem is to upgrade to iOS 7. You will not be given a chance to apply the 6-specific patch.
This mega sucks. My iPhone 4 is still on iOS6 because I despise the calendar app in iOS7. As in I hate the calendar app so much I'm still not going to update to iOS7 despite this news and I'll take my chances with iOS6.
AT&T iPhone 5S and 6; 13" MBP; MDD G4.
     
turtle777
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status: Offline
Reply With Quote
Feb 24, 2014, 02:51 AM
 
Why don't you get a suitable 3rd party calendar app ?

-t
     
P
Moderator
Join Date: Apr 2000
Location: Gothenburg, Sweden
Status: Offline
Reply With Quote
Feb 24, 2014, 04:39 AM
 
Originally Posted by Cold Warrior View Post
This is a huge flaw, it's ridiculous. How was this not caught immediately? It says a lot about apple's security testing--this should be an automated test, very simple, and this stuff should be checked every time.
They clearly don't make automated pen testing. I would argue that they should, and hopefully they will now. There is also the fact that the compiler did not warn about the unreachable code. GCC does not, but then GCC's warnings aren't very good. Clang's warnings ARE good and Clang does warn if you turn on a special flag at compilation, but just turning on the regular -Wall does not result in a warning. Since Apple is very much involved in the development of Clang and LLVM, I would expect that to change as well.

I understand how the bug happened, though. The most likely answer is that it's a merge bug - someone changed on of the lines in question here, someone else made a change further up that change the line count, and the automated merger made a mistake when reconciling things.

Originally Posted by Cold Warrior View Post
It also makes me question the rigor of US government and Defense testing--they certified iOS 6. Seems like MitM / privileged network position should be high on the list of exhaustive testing.
Not to take this into the PWL, but... There are indications that the NSA knew about this and did not alert anyone because they wanted to have the ability to spy on iOS users. Alternatively, they know about some other iOS 7 bug that Apple hasn't found yet, which is even more worrisome.

(If you want to go completely tinfoil hat, you can imagine that the NSA planted the bug in the first place. I don't want to go that far, mostly because I can see how it would happen naturally.)
The new Mac Pro has up to 30 MB of cache inside the processor itself. That's more than the HD in my first Mac. Somehow I'm still running out of space.
     
P
Moderator
Join Date: Apr 2000
Location: Gothenburg, Sweden
Status: Offline
Reply With Quote
Feb 24, 2014, 04:41 AM
 
Originally Posted by turtle777 View Post
Why don't you get a suitable 3rd party calendar app ?

-t
This. There is no lack of Calendar apps in the App Store. I use WeekCal+, I know many are happy with Fantastical.
The new Mac Pro has up to 30 MB of cache inside the processor itself. That's more than the HD in my first Mac. Somehow I'm still running out of space.
     
OreoCookie
Moderator
Join Date: May 2001
Location: Hilbert space
Status: Offline
Reply With Quote
Feb 25, 2014, 02:41 PM
 
Can anyone explain to me whether the attribute »epic« is justified? I don't want to downplay the situation, but how is this different from the gravity of a zero day exploit?
I don't suffer from insanity, I enjoy every minute of it.
     
P
Moderator
Join Date: Apr 2000
Location: Gothenburg, Sweden
Status: Offline
Reply With Quote
Feb 25, 2014, 03:29 PM
 
It has been implied in a public scandal (the NSA snooping).
It was patched on iOS, and therefore public, for four days before the OS X patch.
The bug is obvious enough that just about any doofus can understand what happened and make uninformed commentary about what Apple should have done (no, not using goto would not have helped one bit. Correct answer is either coding styles that enforce curly braces after each if, enabling more warnings at compile time, or automated pen testing).
The new Mac Pro has up to 30 MB of cache inside the processor itself. That's more than the HD in my first Mac. Somehow I'm still running out of space.
     
osiris
Addicted to MacNN
Join Date: Sep 2000
Location: Isle of Manhattan
Status: Offline
Reply With Quote
Feb 25, 2014, 03:44 PM
 
That shows you how many people are running Mavericks. lol
"Faster, faster! 'Till the thrill of speed overcomes the fear of death." - HST
     
P
Moderator
Join Date: Apr 2000
Location: Gothenburg, Sweden
Status: Offline
Reply With Quote
Feb 25, 2014, 03:45 PM
 
The OS X patch is out in the form of 10.9.2. Update now.
The new Mac Pro has up to 30 MB of cache inside the processor itself. That's more than the HD in my first Mac. Somehow I'm still running out of space.
     
ShortcutToMoncton
Addicted to MacNN
Join Date: Sep 2000
Location: The Rock
Status: Offline
Reply With Quote
Feb 25, 2014, 05:31 PM
 
18 minutes to install, not counting download time. I could probably reinstall Mavericks faster than that. Weird.
Mankind's only chance is to harness the power of stupid.
     
ebuddy
Posting Junkie
Join Date: Aug 2003
Location: midwest
Status: Offline
Reply With Quote
Feb 26, 2014, 08:17 AM
 
meh
( Last edited by ebuddy; Feb 28, 2014 at 06:45 PM. )
ebuddy
     
SSharon
Professional Poster
Join Date: Jan 2003
Location: Teaneck, NJ
Status: Offline
Reply With Quote
Feb 27, 2014, 11:52 AM
 
Originally Posted by turtle777 View Post
Why don't you get a suitable 3rd party calendar app ?

-t
Originally Posted by P View Post
This. There is no lack of Calendar apps in the App Store. I use WeekCal+, I know many are happy with Fantastical.
I'm open to third party apps and I'll check out your suggestions. I'm not the biggest power user when it comes to the calendar, but it needs to sync to my wife's phone and allow Siri event entry.
AT&T iPhone 5S and 6; 13" MBP; MDD G4.
     
OreoCookie
Moderator
Join Date: May 2001
Location: Hilbert space
Status: Offline
Reply With Quote
Feb 27, 2014, 12:47 PM
 
Originally Posted by SSharon View Post
I'm open to third party apps and I'll check out your suggestions. I'm not the biggest power user when it comes to the calendar, but it needs to sync to my wife's phone and allow Siri event entry.
All of the calendars I have used access »Apple's« calendar which means you can mix and match calendar apps. You can use Siri, for instance, to enter calendar items and they will appear in any calendar app which accesses Apple's calendar. Works perfectly with Fantastical and Helvetical, for instance.
I don't suffer from insanity, I enjoy every minute of it.
     
subego
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Offline
Reply With Quote
Feb 27, 2014, 03:40 PM
 
Bruce, who knows his shit, theorizes this may have been intentional.

https://www.schneier.com/blog/archiv...e_ios_ssl.html
     
Spheric Harlot
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status: Offline
Reply With Quote
Feb 27, 2014, 07:27 PM
 
Originally Posted by subego View Post
Bruce, who knows his shit, theorizes this may have been intentional.

https://www.schneier.com/blog/archiv...e_ios_ssl.html
Check The Updates.
     
subego
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Offline
Reply With Quote
Feb 27, 2014, 11:19 PM
 
I give him credit for "this is how I would do it" and "really clumsy" together.
     
Laminar
Posting Junkie
Join Date: Apr 2007
Location: Iowa, how long can this be? Does it really ruin the left column spacing?
Status: Offline
Reply With Quote
Feb 27, 2014, 11:23 PM
 
I know of two people that were unable to use iMessage until updating iOS to 7.0.6. My iPhone and iPad are up now, I'll have to do the iMac when I get home.
     
subego
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Offline
Reply With Quote
Feb 28, 2014, 12:32 AM
 
I skimmed the link from the second update. Bruce says two posts, but I only found one.

The author of that post makes some assumptions I'm not sure are correct. His main argument is it's out in the open, and can be easily explained as an accident, therefore clumsy.

That's not how it works. You engineer any exploit you can get away with. Full stop. The only thing which would make this "clumsy" is if there was a more hidden option they didn't take. The author of the post (obviously) has no evidence of anything of the sort. Likewise, that it looks like an accident is a positive for the attackers.

If the attackers can get away with the exploit, it would be clumsy for them not to attack it.



In this context "get away with" should be taken to mean as "not traceable to the attacker".
( Last edited by subego; Feb 28, 2014 at 01:01 AM. )
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 02:04 PM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,