Major Apple security flaw could allow hackers to pwn iOS devices, computers


#1

[Permalink]


#2

A backdoor so big you could drive a truck through it?

I WONDER HOW THAT HAPPENED?


#3

"There's an OS update." But the article says "No patch is available yet for that operating system, though one is expected soon." Software Update says nothing new yet...


#4

Um, I updated mine more than two hours before your message.

Bandwidth throttling by your ISP?


#5

Maybe people are just holding it wrong?


#6

You can read the details about the bug here and even test to see if you're vulnerable.

https://www.imperialviolet.org


#7

I'm more concerned that the bug is also present in OSX. Need a patch for my iMac and Air.


#8

@xeni, pwn has a very specific meaning. Did you pick the wrong word or were you suggesting that hackers could obtain control of an iOS device via this security issue?


#9

This is the correct URL to test:

https://www.imperialviolet.org:1266

(This bug is CVE-2014-1266, hence the port number).

Chrome will show a webpage unavailable, with "ERR_FAILED" when you click More.

Firefox will show a screen detailing the exact certificate problem.


#10

Her usage is correct. The lack of verification that the server is authentic means that a software update (or any download) means malware can be downloaded instead - malware that would give the attacker complete control of the computer, aka pwned.


#11

You're assuming that software updates aren't signed, i.e. that there's no at-rest authentication to complement the in-motion authentication.


#12

Interesting. IOS7 updated fine but still can't see anything for OS X.


#13

More of the NSA doing their best to sabotage the marketability of US tech companies?


#14

This affects the checking of the signatures.

Its really yet another security catastrophe caused by using C.

Visual Studio has warnings that check for dead code that catch the issue.


#15

It's not just a catastrophe caused by using C - you could make that kind of mistake in most programming languages, and many development environments would catch that. (I'm not going to check whether "lint" would, but certainly anything more powerful than that would check for it.) (And yes, there are lots of reasons why most programmers shouldn't be allowed to use C for most applications.)

But as Nikita Borisov pointed out, it's more than just a problem with the code, it's that nobody tested whether the code did what it was supposed to before they shipped it. It's an organizational problem.

harmful: goto fail;
fail: goto harmful;


#16

How would this affect a separate signature over a software update? The bug is in SSL handling code; an at-rest signature doesn't use SSL.


#17

I think the problem is the code did -exactly- what it was supposed to do. It's just not what we paid for. And I say this as a lifelong 'fanboy'.


#18

I'm surprised iOS was patched before OS X.


#19

Only if you're using 10.9.x apparently. wink


#20

I'm still a bit bemused on how much attention this gets compared to the plethora of Windows security threats, but Windows security threats are so rampant it stopped being news a long time ago.

That said, Apple done goofed and I hope this news spreads everywhere and hurts the Apple brand enough to get them to seriously step up their game.

The iPad is extremely popular and this affected a lot of people. I wasn't personally effected by this hole, but I do hope that Apple gets raked over the coals on this one.

If you use Apple products, you should be a squeaky wheel on this and let Apple know how much you don't appreciate this glaring flaw. Also, spread this info far and wide. Apple needs to be made very uncomfortable with this.