xeni at February 22nd, 2014 10:29 — #1
acerplatanoides at February 22nd, 2014 11:12 — #2
A backdoor so big you could drive a truck through it?
I WONDER HOW THAT HAPPENED?
kevin_marsh at February 22nd, 2014 11:28 — #3
"There's an OS update." But the article says "No patch is available yet for that operating system, though one is expected soon." Software Update says nothing new yet...
thaumatechnicia at February 22nd, 2014 11:40 — #4
Um, I updated mine more than two hours before your message.
Bandwidth throttling by your ISP?
backtoyoujim at February 22nd, 2014 12:13 — #5
Maybe people are just holding it wrong?
agonist at February 22nd, 2014 13:19 — #6
You can read the details about the bug here and even test to see if you're vulnerable.
ffabian at February 22nd, 2014 14:10 — #7
I'm more concerned that the bug is also present in OSX. Need a patch for my iMac and Air.
zeiche at February 22nd, 2014 16:08 — #8
@xeni, pwn has a very specific meaning. Did you pick the wrong word or were you suggesting that hackers could obtain control of an iOS device via this security issue?
riking at February 22nd, 2014 16:16 — #9
This is the correct URL to test:
(This bug is CVE-2014-1266, hence the port number).
Chrome will show a webpage unavailable, with "ERR_FAILED" when you click More.
Firefox will show a screen detailing the exact certificate problem.
morcheeba at February 22nd, 2014 16:20 — #10
Her usage is correct. The lack of verification that the server is authentic means that a software update (or any download) means malware can be downloaded instead - malware that would give the attacker complete control of the computer, aka pwned.
fivetonsflax at February 22nd, 2014 19:39 — #11
You're assuming that software updates aren't signed, i.e. that there's no at-rest authentication to complement the in-motion authentication.
kevin_marsh at February 22nd, 2014 20:38 — #12
Interesting. IOS7 updated fine but still can't see anything for OS X.
rocketpj at February 22nd, 2014 20:39 — #13
More of the NSA doing their best to sabotage the marketability of US tech companies?
hallam at February 22nd, 2014 23:44 — #14
This affects the checking of the signatures.
Its really yet another security catastrophe caused by using C.
Visual Studio has warnings that check for dead code that catch the issue.
billstewart at February 23rd, 2014 02:23 — #15
It's not just a catastrophe caused by using C - you could make that kind of mistake in most programming languages, and many development environments would catch that. (I'm not going to check whether "lint" would, but certainly anything more powerful than that would check for it.) (And yes, there are lots of reasons why most programmers shouldn't be allowed to use C for most applications.)
But as Nikita Borisov pointed out, it's more than just a problem with the code, it's that nobody tested whether the code did what it was supposed to before they shipped it. It's an organizational problem.
harmful: goto fail;
fail: goto harmful;
fivetonsflax at February 23rd, 2014 03:08 — #16
How would this affect a separate signature over a software update? The bug is in SSL handling code; an at-rest signature doesn't use SSL.
acerplatanoides at February 23rd, 2014 03:57 — #17
I think the problem is the code did -exactly- what it was supposed to do. It's just not what we paid for. And I say this as a lifelong 'fanboy'.
redesigned at February 23rd, 2014 04:21 — #18
I'm surprised iOS was patched before OS X.
cowicide at February 23rd, 2014 05:14 — #19
Only if you're using 10.9.x apparently.
cowicide at February 23rd, 2014 05:52 — #20
I'm still a bit bemused on how much attention this gets compared to the plethora of Windows security threats, but Windows security threats are so rampant it stopped being news a long time ago.
That said, Apple done goofed and I hope this news spreads everywhere and hurts the Apple brand enough to get them to seriously step up their game.
The iPad is extremely popular and this affected a lot of people. I wasn't personally effected by this hole, but I do hope that Apple gets raked over the coals on this one.
If you use Apple products, you should be a squeaky wheel on this and let Apple know how much you don't appreciate this glaring flaw. Also, spread this info far and wide. Apple needs to be made very uncomfortable with this.
next page →