Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Planning Fix for OS X SSL Bug as New Research Reveals iMessage, Other Apps Affected
- Thread starter MacRumors
- Start date
- Sort by reaction score
This is the first *REAL* vulnerability reported for a long time. And ... you are happy to switch to Windows; which has these issues all the time: this one was just published over the weekend:
http://www.darkreading.com/attacks-...40166255&elq=634c6bdfcd064335aa48243eb173c195
It's unbelievable that Apple released a fix for iOS and then also revealed what the critical security flaw was about, without simultaneously releasing an update to OS X. It wouldn't have needed to be 10.9.2, just a "10.9.1 Security Update". I'm sure Macs are silently compromised by man-in-the-middle attacks today. I hope mine isn't, it could well be. It's stuff you wouldn't really know.
The bug is so serious that security researches didn't even want to talk about it in order to minimize exposure, but it's well exposed now. By Apple.
The bug is so serious that security researches didn't even want to talk about it in order to minimize exposure, but it's well exposed now. By Apple.
?
Did you read the article? It's an OSX bug as well.
Perhaps I'm different than most users of portable electronics, but my most important private/sensitive/financial data is on my portable laptop, not an iOS device. I'd much rather have my iOS device hacked into than my laptop.
I would think that most people do their taxes and financial management on a OSX machine rather than an iOS device....plus have a lot of other sensitive data on an OSX machine due to storage capacity.
But whatever. Heck of a job, Apple. Handled perfectly. Bravo!
Did you read the article? It's an OSX bug as well.
'Microsoft issues fix" is the pertinent phrase in that headline. Meanwhile at Apple deleting one line of code proves too difficult to attempt over a weekend.
Boy would you be surprised to hear of many people using smart phones actually connect to any Wi-Fi as long as it sais "Free Wi-Fi" or so in the network ID!
And boy would you be surprised to hear to easy it is to span such a "Free Evil(tm) Wi-Fi"...
A Whois lookup shows the identity of the gotofail.com registrant is protected behind an anonymous registration service.
So, is it possible that gotofail.com itself is nefarious? (Serious question — I'm not trolling, I really don't know whether this should be worrisome.)
Given the number of exploitable home wi-fi routers (and improperly secured wi-fi routers), I wouldn't assume that they're immune to this sort of attack. If, for example, an attacker exploited a bug in your home router to inject their own DNS servers, then they're probably in a better position to exploit this SSL bug than they would be on a public wi-fi network (how often are users suspicious of their own networks).
That's often the way with these things - one exploit on its own may not be worth much, but a combination of exploits can do much more damage. For example, I believe the evasi0n jailbreak required four exploitable bugs.
Whether a hacker (NSA/GCHQ types excluded) would be determined enough to go after an individual user this way seems unlikely, but there's nothing stopping them going on a fishing expedition and snaring some unlucky souls with the right combination of exploitable router and iOS/OSX hardware.
In short, apply patches ASAP and turn off remote administration options on home routers unless you're absolutely certain you need them (many of the router exploits take advantage of buggy web interfaces).
Short version, no. The exploit is more likely to happen on your local network, not on the internet or at malicious websites.
I wished Apple would fix the frequently unwanted restarts of my iPad Air. The device is simply not reliable. It's no use exchange the iPad Air for a new one because I already did and the same restarts occur. Especially when using the Safari browser.
And this is sinds the beginning when Apple released the iPad Air.
Just another reaction from Nov 12, 2013
"While I am using a application like safari, the iPad just restarted. Probably it wasn't a really restart because it just took a seconds and the a white screen with an in the middle came up just like usually turn on the iPad and back to lock screen and any application I was using were closed after that."
Link: https://discussions.apple.com/message/23755465#23755465
I'm not allowed to swear here on the forum, but Apple as company does deserves a *beep* in the *beep* because of their unprofessional attitude and approach to this issue which inflects so many people.
Rumors go that Apple is working on a fix when releasing 7.1 iOS. But jesus, this already takes months.
And this is sinds the beginning when Apple released the iPad Air.
Just another reaction from Nov 12, 2013
"While I am using a application like safari, the iPad just restarted. Probably it wasn't a really restart because it just took a seconds and the a white screen with an in the middle came up just like usually turn on the iPad and back to lock screen and any application I was using were closed after that."
Link: https://discussions.apple.com/message/23755465#23755465
I'm not allowed to swear here on the forum, but Apple as company does deserves a *beep* in the *beep* because of their unprofessional attitude and approach to this issue which inflects so many people.
Rumors go that Apple is working on a fix when releasing 7.1 iOS. But jesus, this already takes months.
I'm surprised that they aren't releasing any temporary fix.. while they are working on patch to fix one line of code.
Somebody might say that they need to test the patch, but they've already done that with iOS where the bug was exactly the same.
Somebody might say that they need to test the patch, but they've already done that with iOS where the bug was exactly the same.
The code is open source.
See https://www.imperialviolet.org/2014/02/22/applebug.html
Well, if dead-code warnings were enabled then the compiler would have found the bug. Xcode's "Build & Analyze" feature would warn about this, but I guess they didn't use it.
Microsoft magically defies reality and fixes, tests, and releases Windows security fixes in a matter of minutes?
----------
Because testing something for one completely different system is somehow relevant to another, right?
Why do you think I'm claiming a fix should take minutes? It's been nearly three days since iOS was patched.
My mbp has not left my house it two years lol I'm not worried. And I always shut wifi off when asked to join in a public unsecured area. Sometimes LTE is even snappier.
Hang on - "goto"? What code is this in? I take it it's not in Objective C - is a different language used for the lower level stuff?
----------
Makes it easier for the government to spy on you over the LTE of course. Not that a they apparently had much trouble anyway. Well, OK, that's not fair - they actually went to quite a lot of trouble to spy on you all didn't they.
----------
Makes it easier for the government to spy on you over the LTE of course. Not that a they apparently had much trouble anyway. Well, OK, that's not fair - they actually went to quite a lot of trouble to spy on you all didn't they.
I'm not worried about my government spying on me and if it stops the next 911 I'm all for it.
We're talking about one broken library, literally - one line of code.
And sad to say but Microsoft actually releases critical updates out of schedule and ASAP.
In this case, I feel like they're waiting for 10.9.2 and it's not acceptable with the magnitude of this loophole.
"GoToFail"
Reminds me of 1968:
"GOTO Considered Harmful"
http://en.wikipedia.org/wiki/Considered_harmful
NSA-implanted code was my exact thought when I first heard of this. I up voted your comment.