Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Planning Fix for OS X SSL Bug as New Research Reveals iMessage, Other Apps Affected

SantaFeNM said:
In line with the release of the iOS update. That would be "very soon".

Apple has done a poor job of getting the word out about this vulnerability and what their customers should have been, and should be doing while waiting for the patch.

I've notified a dozen or so people I know that use iOS devices or Macs, and none of them knew about the bug, let alone that they should be avoiding public wifi. Apple could have communicated with their customers much better on this.
Click to expand...
That wouldn't be very soon that would be just at the same time, which might not have been practical for OS X at that moment while it was more necessary for iOS given it's much wider exposure and use in more places.

----------
Tech198 said:
What a surprise...

Only a day later AFTER iOS update with the SAME problem...

Most apple people will tell me "It's just a coincidence.." that they waited this long in the first place...

Obviously, Apple doesn't care about security..

They think they do, otherwise this SSL issue would have been right at the top of the list.... against all other "features" that SHOULD come after security, not before or in-between.

I would have fixed this the moment i heard about it...

What else can go wrong ?

With Apple, anything goes :) .. Next up: Macs are not as secure as Apple thought.
Click to expand...
And what makes it look like they didn't start work on fixing it the moment they heard about it?
 
C DM said:
That's certainly good. Doesn't help much for those who are running the latest iOS 7.1 beta (even not on their main devices) or running iOS 6 on iPhone 4 or 4S or 5 and don't want to go to iOS 7 or jailbreak.
Click to expand...

Yes indeed, I feel sorry for those on iphone 4, 4s, & 5 that want to stay on ios 6

Just wanted to gloat about how the jailbreak community reacts to stuff like this.
 
Passwords compromised?

It kinda goes without saying that if the SSL was compromised for iCloud etc. that we should be all resetting our passwords....(along with any other sites)....I wonder if Apple will go out of their way to inform users that they should do this (they should force password resets for their products and inform users that they should reset passwords on other sites as well)...potentially this is a very large issue as we don't know how long or who inserted the bug...so if it was nefarious then people could have been collecting pw's without anyone knowing about it...

I would imagine a class-action suit if they didn't and it was later found out that anyones passwords had been compromised...
 
C DM said:
That wouldn't be very soon that would be just at the same time, which might not have been practical for OS X at that moment while it was more necessary for iOS given it's much wider exposure and use in more places.
Click to expand...

Perhaps I'm different than most users of portable electronics, but my most important private/sensitive/financial data is on my portable laptop, not an iOS device. I'd much rather have my iOS device hacked into than my laptop.

I would think that most people do their taxes and financial management on a OSX machine rather than an iOS device....plus have a lot of other sensitive data on an OSX machine due to storage capacity.

But whatever. Heck of a job, Apple. Handled perfectly. Bravo! :rolleyes:
 
yjchua95 said:
I can imagine an NSA techie slamming his head into a wall while saying "*******! They found the loophole I inserted!"
Click to expand...

More like, Oh! look those noobsauce just found one of the h.s intern's loophole..
 
no

AstronomyiPhone said:
Yes, but I think this article does a good job of explaining why that's such an issue...
Click to expand...

It explains the issue - sort of. But it certainly does NOT do a good job of explaining the issue and the subtitles.

It jumped upon the click-bait tinfoil-hat but then wimped out by saying "make sure you stay on secured networks". Maybe you could say "stay away from password-free WiFi" and then we could understand.

And oh, by the way, it seems that OS X versions prior to 10.9 Mavericks aren't vulnerable. Folks sticking with 10.8 or earlier are not vulnerable.
 
SantaFeNM said:
Perhaps I'm different than most users of portable electronics, but my most important private/sensitive/financial data is on my portable laptop, not an iOS device. I'd much rather have my iOS device hacked into than my laptop.

I would think that most people do their taxes and financial management on a OSX machine rather than an iOS device....plus have a lot of other sensitive data on an OSX machine due to storage capacity.

But whatever. Heck of a job, Apple. Handled perfectly. Bravo! :rolleyes:
Click to expand...
This isn't really that type of a hack.
 
Is this more academic than real? If I understand this correctly, someone (other than, say, the NSA) has to be on your network to do the man in the middle attack. I'm not concerned at home or work. Is this just a threat to folks sitting in cafes? What's the real world scenario here?
 
Undecided said:
Is this more academic than real? If I understand this correctly, someone (other than, say, the NSA) has to be on your network to do the man in the middle attack. I'm not concerned at home or work. Is this just a threat to folks sitting in cafes? What's the real world scenario here?
Click to expand...

As far as I knew, the threat has to *be* your network to do the attack.
 
Undecided said:
Is this more academic than real? If I understand this correctly, someone (other than, say, the NSA) has to be on your network to do the man in the middle attack. I'm not concerned at home or work. Is this just a threat to folks sitting in cafes? What's the real world scenario here?
Click to expand...

That's a really good question. Any experts with insight? Many security flaws seem to be exploitable in theory but you'd have to be in the perfect storm of public wifi and around a hacker at the exact same time and place while transferring sensitive data.
 
SantaFeNM said:
Well then I guess it only opens the door for a benign hack, where a hacker doesn't want any data of value off my MacBook.
Click to expand...
It just doesn't really open anything into the devices you have, just a potential to intercept data that is being sent using those devices and only in certain situations. There is a difference.
 
MacRumors said:
...may be affecting more than just Safari
Click to expand...

Didn't we already know this? It's a bug in Secure Transport, an OS X API that can be used by any OS X application and probably is used by most native apps, including Apple's own. Chrome and Firefox are exceptions because they use their own implementation of SSL/TLS, undoubtedly because they need to be cross platform. (I suspect Thunderbird is the same. I should probably switch from Mail--which is almost certainly also susceptible--until this gets fixed.)

ArtOfWarfare said:
I'm a little interested how they know that it's goto and not some thing else… does goto actually have a one-to-one mapping with something in x86?
Click to expand...

You're thinking about this way too hard. It's open source. ;) We know it's goto because there is an error in the published code involving a goto statement.

If you've done any C-style programming, the issue is actually a combination of an extra goto and the syntax of if statements. In this section of code, they didn't enclose the body of the if statements in curly braces. This is fine since they're optional and their absence means that only the next statement is considered part of the body, but they wrote the goto statement twice instead of once for the "body" of this if statement, meaning the second one was effectively outside the if statement and executed regardless. Read more here: http://www.imore.com/understanding-apples-ssl-tls-bug

Like you, I'm surprised they are so reliant on goto, which is generally considered bad form in modern programming. However, I'm also surprised they don't have a a coding style, as many do, that require braces around if statements, even if their body is only one statement long. Not only would that have prevented this error (well, assuming they didn't copy and paste an extra set of braces, too), but it's something a lot of people do since it makes it easier to expand the if statement's body do more lines/statements later if you need to since you will need braces then.
 
Infinitewisdom said:
That's a really good question. Any experts with insight? Many security flaws seem to be exploitable in theory but you'd have to be in the perfect storm of public wifi and around a hacker at the exact same time and place while transferring sensitive data.
Click to expand...

Where is Apple's PR machine? They should be out explaining in much greater detail when we should expect the patch, without being vague, and what the specific vulnerabilities have been to their customers.

Do we need to change passwords immediately or not? If so, do we possibly need to change them again after the patch? I do not understand why they have not given their customers specific advice. Apple should try and be out in front of this instead of leaving people wondering. Most people do not have the technical skills to digest the implications of this bug and to make informed decisions based on the information Apple has provided.
 
I wonder if we need to see some regulation here, because these security lapses are pure product defects. And vendors must not profit from defects. (I'm looking at you, Apple. And not at Microsoft, to their credit.) For example, the European Commission could require all vendors (Apple, Samsung, Microsoft, etc.) to release free security fixes for all devices and software they sold (directly or through distributors) within the past, say, 5 years (from date of withdrawal from the market, including refurbished products). If a defect goes unfixed for 30 days then the vendor is barred from introducing any new products/models unless and until all defects in past products are remedied. If the defect goes unfixed for 60 days then there's a daily fine with acceleration. (The proceeds from those fines could be dedicated to a security research institute and to pay bounties.) The 30/60 clock starts when the vendor is notified in writing and with sufficient specificity.

Something like that formula would help a lot.
 
Undecided said:
Is this more academic than real? If I understand this correctly, someone (other than, say, the NSA) has to be on your network to do the man in the middle attack. I'm not concerned at home or work. Is this just a threat to folks sitting in cafes? What's the real world scenario here?
Click to expand...

I think it's mainly a concern when on the same WiFi or wired network as an attacker - hotels, public WiFi etc. When in those situations, any traffic that travels over SSL (PayPal credentials, bank logins, email account logins, any other communications with servers of any type) can be intercepted.

Here's a link with some background on ARP spoofing, the easiest attack method on public networks: http://www.airtightnetworks.com/WPA2-Hole196 I believe there are other attack methods too, such as DNS poisoning, that could render SSL from your home or work networks equally useless. That might be a little harder for your average script kiddie to pull off than ARP spoofing on your local subnet.
 
BBCWatcher said:
I wonder if we need to see some regulation here, because these security lapses are pure product defects. And vendors must not profit from defects. (I'm looking at you, Apple. And not at Microsoft, to their credit.) For example, the European Commission could require all vendors (Apple, Samsung, Microsoft, etc.) to release free security fixes for all devices and software they sold (directly or through distributors) within the past, say, 5 years (from date of withdrawal from the market, including refurbished products). If a defect goes unfixed for 30 days then the vendor is barred from introducing any new products/models unless and until all defects in past products are remedied. If the defect goes unfixed for 60 days then there's a daily fine with acceleration. (The proceeds from those fines could be dedicated to a security research institute and to pay bounties.) The 30/60 clock starts when the vendor is notified in writing and with sufficient specificity.

Something like that formula would help a lot.
Click to expand...

By accepting the EULA for OS X or Windows, you pretty much agree that none of this can happen.
 
ArtOfWarfare said:
I'm a little interested how they know that it's goto and not some thing else… does goto actually have a one-to-one mapping with something in x86? (I guess it would be jump? But there's plenty of other things that would use jump too, I would think? Function calls would have jump-and-link, while and for would have some kind of conditional jumps… is goto really the only thing that translates directly to jump? I'm surprised Apple doesn't have a static analyzer that automatically rejects code using a goto…)
Click to expand...

Actually it's because of an if Statement where they didn't use brackets, and thus screwed up. This is the actual code that is wrong:

Code: 
 if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
        goto fail;
        goto fail;
The extra goto fail was added in for some reason and because they didn't use brackets, the goto fail always jumped to the fail area.


Edit: You can see the code here
http://opensource.apple.com/source/Security/Security-55471/libsecurity_ssl/lib/sslKeyExchange.c?txt
 
SantaFeNM said:
Perhaps I'm different than most users of portable electronics, but my most important private/sensitive/financial data is on my portable laptop, not an iOS device. I'd much rather have my iOS device hacked into than my laptop.

I would think that most people do their taxes and financial management on a OSX machine rather than an iOS device....plus have a lot of other sensitive data on an OSX machine due to storage capacity.

But whatever. Heck of a job, Apple. Handled perfectly. Bravo! :rolleyes:
Click to expand...

No, you're not different. I think AAPL have weighed things up and decided that;
A small number of users x lots of data ≤ A large number of users with small amounts of data?

I'm the same, much more on my mac than any iDevice I own.

Let's see if this affects the stock price.

----------
RMo said:
By accepting the EULA for OS X or Windows, you pretty much agree that none of this can happen.
Click to expand...

No you don't. EULAs mean different things in diffierenrt countries and are there to try and catch all eventualities, (and more), they are no means as binding as they look. Same with a contract of employment, there's loads of crap in a lot of those that may not stand up in court.
 
BBCWatcher said:
I wonder if we need to see some regulation here, because these security lapses are pure product defects. And vendors must not profit from defects. (I'm looking at you, Apple. And not at Microsoft, to their credit.) For example, the European Commission could require all vendors (Apple, Samsung, Microsoft, etc.) to release free security fixes for all devices and software they sold (directly or through distributors) within the past, say, 5 years (from date of withdrawal from the market, including refurbished products). If a defect goes unfixed for 30 days then the vendor is barred from introducing any new products/models unless and until all defects in past products are remedied. If the defect goes unfixed for 60 days then there's a daily fine with acceleration. (The proceeds from those fines could be dedicated to a security research institute and to pay bounties.) The 30/60 clock starts when the vendor is notified in writing and with sufficient specificity.

Something like that formula would help a lot.
Click to expand...
Unfixed from the moment it was introduced when no one knew about it or was affected by it or from the moment it was discovered?
 
megamanbnmaster said:
Actually it's because of an if Statement where they didn't use brackets, and thus screwed up.
Click to expand...

It's really inexcusable that the compiler didn't warn about the unreachability of the following code. And if they were using C++ and exceptions, they wouldn't have all that stupid test-and-goto-error code.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back