âThereâs an OS update.â But the article says âNo patch is available yet for that operating system, though one is expected soon.â Software Update says nothing new yetâŚ
Um, I updated mine more than two hours before your message.
Bandwidth throttling by your ISP?
Maybe people are just holding it wrong?
You can read the details about the bug here and even test to see if youâre vulnerable.
Iâm more concerned that the bug is also present in OSX. Need a patch for my iMac and Air.
@xeni, pwn has a very specific meaning. Did you pick the wrong word or were you suggesting that hackers could obtain control of an iOS device via this security issue?
This is the correct URL to test:
https://www.imperialviolet.org:1266
(This bug is CVE-2014-1266, hence the port number).
Chrome will show a webpage unavailable, with âERR_FAILEDâ when you click More.
Firefox will show a screen detailing the exact certificate problem.
Her usage is correct. The lack of verification that the server is authentic means that a software update (or any download) means malware can be downloaded instead - malware that would give the attacker complete control of the computer, aka pwned.
Youâre assuming that software updates arenât signed, i.e. that thereâs no at-rest authentication to complement the in-motion authentication.
Interesting. IOS7 updated fine but still canât see anything for OS X.
More of the NSA doing their best to sabotage the marketability of US tech companies?
This affects the checking of the signatures.
Its really yet another security catastrophe caused by using C.
Visual Studio has warnings that check for dead code that catch the issue.
Itâs not just a catastrophe caused by using C - you could make that kind of mistake in most programming languages, and many development environments would catch that. (Iâm not going to check whether âlintâ would, but certainly anything more powerful than that would check for it.) (And yes, there are lots of reasons why most programmers shouldnât be allowed to use C for most applications.)
But as Nikita Borisov pointed out, itâs more than just a problem with the code, itâs that nobody tested whether the code did what it was supposed to before they shipped it. Itâs an organizational problem.
harmful: goto fail;
fail: goto harmful;
How would this affect a separate signature over a software update? The bug is in SSL handling code; an at-rest signature doesnât use SSL.
I think the problem is the code did -exactly- what it was supposed to do. Itâs just not what we paid for. And I say this as a lifelong âfanboyâ.
Iâm surprised iOS was patched before OS X.
Only if youâre using 10.9.x apparently. 
Iâm still a bit bemused on how much attention this gets compared to the plethora of Windows security threats, but Windows security threats are so rampant it stopped being news a long time ago.
That said, Apple done goofed and I hope this news spreads everywhere and hurts the Apple brand enough to get them to seriously step up their game.
The iPad is extremely popular and this affected a lot of people. I wasnât personally effected by this hole, but I do hope that Apple gets raked over the coals on this one.
If you use Apple products, you should be a squeaky wheel on this and let Apple know how much you donât appreciate this glaring flaw. Also, spread this info far and wide. Apple needs to be made very uncomfortable with this.
