|
|
Patched SSL flaw in iOS might also affect OSX
|
|
|
|
Moderator
Join Date: Aug 2001
Location: Nobletucky
Status:
Offline
|
|
|
|
|
|
|
|
|
|
|
Administrator
Join Date: Jun 2000
Location: California
Status:
Offline
|
|
The flaw causes SSL keys to not be verified. Security test page. If you can load it, you are affected by the bug.
10.9.2 not affected (news reports)
10.9.0, 10.9.1 are affected.
10.8.5 not affected (sek929)
10.7.5 not affected (turtle)
10.6.8 / Safari 5.1.10 is not affected. Throws a verification error, refuses to load the page.
PPC 10.5.8 / Safari 5.0.6 is not affected. Throws a verification error, refuses to load the page.
(
Last edited by reader50; Feb 25, 2014 at 04:58 PM.
Reason: updated as info comes in)
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status:
Offline
|
|
10.7.5 is not affected.
-t
|
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Nov 1999
Location: Cape Cod, MA
Status:
Offline
|
|
10.8.5 Refuses to load page
|
|
|
|
|
|
|
|
|
Moderator
Join Date: Aug 2001
Location: Nobletucky
Status:
Offline
|
|
From what I gather, if you are on 10.9, switching your browser to either Chrome or Firefox will mitigate the issue. However, there are other components of OSX that are affected as well.
On the iOS side of things, it looks like the fix is organized like this...
• If your iOS device is approved to run iOS 7, you must apply the 7-specific patch.
• If your iOS device is not approved to run 7, you must apply the 6-specific patch.
What this means is, if you have, for instance, an iPhone 4s and are still running iOS 6, the only way to fix this problem is to upgrade to iOS 7. You will not be given a chance to apply the 6-specific patch.
|
|
|
|
|
|
|
|
|
Moderator
Join Date: Jan 2001
Location: Polwaristan
Status:
Offline
|
|
I have an iPhone 5 still on 6.x and yes, the only update option is 7.0.4, where I assume the next offer would be for 7.0.6. I took my 5s and both iPads to 7.0.6 as soon as this came out.
This is a huge flaw, it's ridiculous. How was this not caught immediately? It says a lot about apple's security testing--this should be an automated test, very simple, and this stuff should be checked every time.
It also makes me question the rigor of US government and Defense testing--they certified iOS 6. Seems like MitM / privileged network position should be high on the list of exhaustive testing.
|
|
|
|
|
|
|
|
|
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status:
Offline
|
|
The page loads in iOS Safari, but not in iOS Chrome. I'm going to apply the patch anyway, but I find that to be an interesting data point.
|
Glenn -----OTR/L, MOT, Tx
|
|
|
|
|
|
|
|
Moderator
Join Date: Jan 2001
Location: Polwaristan
Status:
Offline
|
|
They use different code. Anything calling iOS and OS X code/module is going to be vulnerable. Chrome and Firefox use their own.
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Apr 2000
Status:
Offline
|
|
Originally Posted by reader50
The flaw causes SSL keys to not be verified. Security test page. If you can load it, you are affected by the bug
10.9.1 Safari loads, Firefox does not load
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Jan 2003
Location: Teaneck, NJ
Status:
Offline
|
|
Originally Posted by Thorzdad
From what I gather, if you are on 10.9, switching your browser to either Chrome or Firefox will mitigate the issue. However, there are other components of OSX that are affected as well.
On the iOS side of things, it looks like the fix is organized like this...
• If your iOS device is approved to run iOS 7, you must apply the 7-specific patch.
• If your iOS device is not approved to run 7, you must apply the 6-specific patch.
What this means is, if you have, for instance, an iPhone 4s and are still running iOS 6, the only way to fix this problem is to upgrade to iOS 7. You will not be given a chance to apply the 6-specific patch.
This mega sucks. My iPhone 4 is still on iOS6 because I despise the calendar app in iOS7. As in I hate the calendar app so much I'm still not going to update to iOS7 despite this news and I'll take my chances with iOS6.
|
AT&T iPhone 5S and 6; 13" MBP; MDD G4.
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status:
Offline
|
|
Why don't you get a suitable 3rd party calendar app ?
-t
|
|
|
|
|
|
|
|
|
Moderator
Join Date: Apr 2000
Location: Gothenburg, Sweden
Status:
Offline
|
|
Originally Posted by Cold Warrior
This is a huge flaw, it's ridiculous. How was this not caught immediately? It says a lot about apple's security testing--this should be an automated test, very simple, and this stuff should be checked every time.
They clearly don't make automated pen testing. I would argue that they should, and hopefully they will now. There is also the fact that the compiler did not warn about the unreachable code. GCC does not, but then GCC's warnings aren't very good. Clang's warnings ARE good and Clang does warn if you turn on a special flag at compilation, but just turning on the regular -Wall does not result in a warning. Since Apple is very much involved in the development of Clang and LLVM, I would expect that to change as well.
I understand how the bug happened, though. The most likely answer is that it's a merge bug - someone changed on of the lines in question here, someone else made a change further up that change the line count, and the automated merger made a mistake when reconciling things.
Originally Posted by Cold Warrior
It also makes me question the rigor of US government and Defense testing--they certified iOS 6. Seems like MitM / privileged network position should be high on the list of exhaustive testing.
Not to take this into the PWL, but... There are indications that the NSA knew about this and did not alert anyone because they wanted to have the ability to spy on iOS users. Alternatively, they know about some other iOS 7 bug that Apple hasn't found yet, which is even more worrisome.
(If you want to go completely tinfoil hat, you can imagine that the NSA planted the bug in the first place. I don't want to go that far, mostly because I can see how it would happen naturally.)
|
The new Mac Pro has up to 30 MB of cache inside the processor itself. That's more than the HD in my first Mac. Somehow I'm still running out of space.
|
|
|
|
|
|
|
|
Moderator
Join Date: Apr 2000
Location: Gothenburg, Sweden
Status:
Offline
|
|
Originally Posted by turtle777
Why don't you get a suitable 3rd party calendar app ?
-t
This. There is no lack of Calendar apps in the App Store. I use WeekCal+, I know many are happy with Fantastical.
|
The new Mac Pro has up to 30 MB of cache inside the processor itself. That's more than the HD in my first Mac. Somehow I'm still running out of space.
|
|
|
|
|
|
|
|
Moderator
Join Date: May 2001
Location: Hilbert space
Status:
Offline
|
|
Can anyone explain to me whether the attribute »epic« is justified? I don't want to downplay the situation, but how is this different from the gravity of a zero day exploit?
|
I don't suffer from insanity, I enjoy every minute of it.
|
|
|
|
|
|
|
|
Moderator
Join Date: Apr 2000
Location: Gothenburg, Sweden
Status:
Offline
|
|
It has been implied in a public scandal (the NSA snooping).
It was patched on iOS, and therefore public, for four days before the OS X patch.
The bug is obvious enough that just about any doofus can understand what happened and make uninformed commentary about what Apple should have done (no, not using goto would not have helped one bit. Correct answer is either coding styles that enforce curly braces after each if, enabling more warnings at compile time, or automated pen testing).
|
The new Mac Pro has up to 30 MB of cache inside the processor itself. That's more than the HD in my first Mac. Somehow I'm still running out of space.
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Sep 2000
Location: Isle of Manhattan
Status:
Offline
|
|
That shows you how many people are running Mavericks. lol
|
"Faster, faster! 'Till the thrill of speed overcomes the fear of death." - HST
|
|
|
|
|
|
|
|
Moderator
Join Date: Apr 2000
Location: Gothenburg, Sweden
Status:
Offline
|
|
The OS X patch is out in the form of 10.9.2. Update now.
|
The new Mac Pro has up to 30 MB of cache inside the processor itself. That's more than the HD in my first Mac. Somehow I'm still running out of space.
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Sep 2000
Location: The Rock
Status:
Offline
|
|
18 minutes to install, not counting download time. I could probably reinstall Mavericks faster than that. Weird.
|
Mankind's only chance is to harness the power of stupid.
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Aug 2003
Location: midwest
Status:
Offline
|
|
(
Last edited by ebuddy; Feb 28, 2014 at 06:45 PM.
)
|
ebuddy
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Jan 2003
Location: Teaneck, NJ
Status:
Offline
|
|
Originally Posted by turtle777
Why don't you get a suitable 3rd party calendar app ?
-t
Originally Posted by P
This. There is no lack of Calendar apps in the App Store. I use WeekCal+, I know many are happy with Fantastical.
I'm open to third party apps and I'll check out your suggestions. I'm not the biggest power user when it comes to the calendar, but it needs to sync to my wife's phone and allow Siri event entry.
|
AT&T iPhone 5S and 6; 13" MBP; MDD G4.
|
|
|
|
|
|
|
|
Moderator
Join Date: May 2001
Location: Hilbert space
Status:
Offline
|
|
Originally Posted by SSharon
I'm open to third party apps and I'll check out your suggestions. I'm not the biggest power user when it comes to the calendar, but it needs to sync to my wife's phone and allow Siri event entry.
All of the calendars I have used access »Apple's« calendar which means you can mix and match calendar apps. You can use Siri, for instance, to enter calendar items and they will appear in any calendar app which accesses Apple's calendar. Works perfectly with Fantastical and Helvetical, for instance.
|
I don't suffer from insanity, I enjoy every minute of it.
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status:
Offline
|
|
Originally Posted by subego
Check The Updates.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
I give him credit for "this is how I would do it" and "really clumsy" together.
|
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Apr 2007
Location: Iowa, how long can this be? Does it really ruin the left column spacing?
Status:
Offline
|
|
I know of two people that were unable to use iMessage until updating iOS to 7.0.6. My iPhone and iPad are up now, I'll have to do the iMac when I get home.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
I skimmed the link from the second update. Bruce says two posts, but I only found one.
The author of that post makes some assumptions I'm not sure are correct. His main argument is it's out in the open, and can be easily explained as an accident, therefore clumsy.
That's not how it works. You engineer any exploit you can get away with. Full stop. The only thing which would make this "clumsy" is if there was a more hidden option they didn't take. The author of the post (obviously) has no evidence of anything of the sort. Likewise, that it looks like an accident is a positive for the attackers.
If the attackers can get away with the exploit, it would be clumsy for them not to attack it.
In this context "get away with" should be taken to mean as "not traceable to the attacker".
(
Last edited by subego; Feb 28, 2014 at 01:01 AM.
)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|