SSL vulnerability ios and Macos X.

[srichards]

Looks like Apple is poor at SSL!!

http://www.theguardian.com/technology/2014/feb/22/apple-ios-software-hacking-risk

There's an ios update on the ipad and iphone for it. None for macs as yet. School boy error. Apple are becoming the new microsoft it seems

It doesn't say whether it is only the mac mail that is vulnerable or whether any other mail app eg Thunderbird is also vulnerable.

 

[inkiboo]

Sorry, this can't be the case because I've read so many posts on here about Apple having no security issues.

 

[Planky]

Sorry, this can't be the case because I've read so many posts on here about Apple having no security issues.

Perhaps you should change your Avatar to a troll?

 

[inkiboo]

Perhaps you should change your Avatar to a troll?

It was a joke, plus I own various Apple computers.

 

[arad85]

Perhaps you should change your Avatar to a troll?

TBH, something like this is ripe for a comment like that - sooo many times a single one liner comes back that Macs are totally immune without a full understanding of what's going on. Having said that, no virus protection would guard against this - it's a real bug in the SSL code which would be exploited as your data is carried, not a hack on a Mac/iOS device.

 

[MWHCVT]

Sorry, this can't be the case because I've read so many posts on here about Apple having no security issues.

Maybe the apple fans will have to slightly ajust to "Apple it just doesn't work" of course sent from my iPad

 

[hollis_f]

It doesn't say whether it is only the mac mail that is vulnerable or whether any other mail app eg Thunderbird is also vulnerable.

It's not just email. If anything it's web browsing where you're most likely to be vulnerable. Anything using Secure Sockets Layer is vulnerable. However, it's unlikely to be a problem for home users (unless they're stupid enough to not use any security on the wireless connection) but it could be a problem if you use public WiFi.

 

[srichards]

I expect better from Apple really. If the vulnerability is a known classic attack that has been a hole before in other implementations then it is a particularly stupid mistake.

I certainly wouldn't use a phone to access banking data.

This is the mistake: https://www.imperialviolet.org/2014/02/22/applebug.html

Basic programming mistake. I never even knew apple source code used gotos. I thought they went out with bbc basic and were removed from all proper programming languages!

Pleasingly it doesn't affect chrome nor FF for browsing so it's only the secure ipad stuff that isn't really secure.

 

[arad85]

I never even knew apple source code used gotos.

GOTOs per se are not bad. It's the programmers use of them that is potentially bad (see Apple and SSL ). That could quite easily be as bad not using {}'s without the goto...

 

[srichards]

Even better macosx 10.8.5 doesn't seem to be vulnerable anyway as I tried the same test site in safari and that 'couldn't establish a connection'.

I knew not updating to mavericks was a sensible choice

 

[srichards]

Also just noticed that Siri starts up from the lock screen even if it is set to be inaccessible. Not noticed that for a while. Not checked whether it bypasses the passcode system again.

I keep it off otherwise the daft git gets started just about every time I try and fish my phone out of an awkward pocket :-/

 

[neil_g]

thread bookmarked for future reference

 

[onomatopoeia]

Basic programming mistake. I never even knew apple source code used gotos. I thought they went out with bbc basic and were removed from all proper programming languages!

They persist, and the use in the page linked is the most common one, to have a common "clean up and exit" section of code so you don't have to modify lots of failure conditions if you add another memory allocation at the start of a function (for example).

 

[Chappers]

The problem doesn't seem to affect Firefox so it looks like Apple apps only, Safari, Mail iMessage . Not sure if it affects iCloud.

 

[JonathanRyan]

GOTOs per se are not bad. It's the programmers use of them that is potentially bad (see Apple and SSL ). That could quite easily be as bad not using {}'s without the goto...

I thought the reason for them being deprecated is that with a GOTO a program can't be mathematically proved. Basically because you can't work out what the previous line of code was if you allow GOTOs (with most other jumps there's a register somewhere that will tell you the return address). That's from a half remembered lecture in the 90s though so it may not be right.

The real error with that code is the duplicated command so the second one is outside the conditional. Like putting a random full stop in a COBOL conditional. Like most if not all errors of this kind it would have been caught by adequate testing but pretty much nobody tests stuff any more.......

TBH I wouldn't do anything on a public data signal that I didn't expect to be intercepted.

 

[arad85]

I thought the reason for them being deprecated is that with a GOTO a program can't be mathematically proved.

Do people still use ADA? You can write really, really poor code without the use of gotos....

The main reason for using them is as Mark said - for cleaning up allocations etc.. when something goes wrong.

 

[JonathanRyan]

Do people still use ADA? You can write really, really poor code without the use of gotos....

Careful now. IIRC a mate's dad created ADA.

 

[inkiboo]

OS 10.9.2 is now available. Apple users can update, fix the bug and continue to be smug/condescending.

 

[arad85]

I used to work on the periphery of the defence/space industry in the 80's and 90's. I once saw a list of 10 or so coding rules which were (as far as I know) adhered to when coding for mission critical space systems. In the first two or three of those rules was: you shall not use floating point calculations - presumably due to the dropoff of accuracy when you need more and more precision.

Talk about making life hard for yourself....

 

[Mikesphotaes]

OS 10.9.2 is now available. Apple users can update, fix the bug and continue to be smug/condescending.

Ipad one came out yesterday and took ages to install.

 

[JonathanRyan]

OS 10.9.2 is now available. Apple users can update, fix the bug and continue to be smug/condescending.

Downloading smugness now.

 

[trencheel303]

I've still not updated my stuff, I suppose I'd better. I was kind of enjoying the fact that my iPad was still on 7.0.0.

 

[sbowler579]

Downloading smugness now.

 

[arad85]

Downloading smugness now.

Are you sure? It could be someone impersonating Apple and downloading Megabytes of virii...

 

[srichards]

I don't need extra smugness as mountain lion doesn't have that issue anyway

 

[neil_g]

Ipad one came out yesterday and took ages to install.

Interesting, my iPhone updated last week for an ssl issue.

Haven't checked the iPad for a while though.

 

[JonathanRyan]

Are you sure? It could be someone impersonating Apple and downloading Megabytes of virii...

Yes I'm sure. They asked for my credit card to make sure it was actually me. That's normal, right?

 

[Musicman]

Interesting, my iPhone updated last week for an ssl issue.

Haven't checked the iPad for a while though.

Same here, I got an auto update notice on my phone at the weekend and manually updated my iPad the next day.

I think Apple phase in the automatic updates for iOS to different devices over a few days to spread the server load at their end.

 

[arad85]

Yes I'm sure. They asked for my credit card to make sure it was actually me. That's normal, right?

I don't know. I've never had to download smugness as it comes pre-installed over here, so I'm not sure whether CC details are needed or not....