Forgot your password?
typodupeerror
IOS OS X Security Apple

Apple Fixes Major SSL Bug In OS X, iOS 96

Posted by Soulskill
from the more-broken-security-stuff dept.
Trailrunner7 writes: "Apple has fixed a serious security flaw present in many versions of both iOS and OS X and could allow an attacker to intercept data on SSL connections. The bug is one of many the company fixed Tuesday in its two main operating systems, and several of the other vulnerabilities have serious consequences as well, including the ability to bypass memory protections and run arbitrary code. The most severe of the vulnerabilities patched in iOS 7.1.1 and OSX Mountain Lion and Mavericks is an issue with the secure transport component of the operating systems. If an attacker was in a man-in-the-middle position on a user's network, he might be able to intercept supposedly secure traffic or change the connection's properties."
This discussion has been archived. No new comments can be posted.

Apple Fixes Major SSL Bug In OS X, iOS

Comments Filter:
  • by Valdrax (32670) on Tuesday April 22, 2014 @04:32PM (#46818095)

    Also fixed in Lion, according to the link, for those of us still using older Macs.

    • What about iOS 6? There's still a lot of older iPhones out there.

      • by dimeglio (456244)
        Good point. According to the FA, it looks like it affects iOS 7.1 and earlier. A good excuse to upgrade your iDevice. I don't expect Apple to patch unsupported hardware but if people complain, they might get it done.
        • iOS6 did receive a patch about another SSL vulnerability a few months back, I think.

          What I'm hoping for is for Apple to enable FaceTime Audio for the iPhone 3G and iPhone 3GS. All this talk about Earth Day is nice, but what's really helpful for users and the environment is to use older devices longer before recycling them.

          • by sconeu (64226)

            Only for older iPods/iPhones. If your device is capable of running 7, you will not have the 6.x upgrade available.

  • by Anonymous Coward on Tuesday April 22, 2014 @04:56PM (#46818281)

    Tell me again how this whole issue with SSL is due to the nature of open source and how it's only the commie OpenSSL which can't be trusted...

    Seems to me Apple's got a bit of a quality control issue itself.

    What's Apple's excuse ?

    • by x0ra (1249540) on Tuesday April 22, 2014 @05:02PM (#46818321)
      'apple' is smart enough not to give the issue a sexy name as "heartbleed", and thus it will go unnoticed among non tech people...
    • by jo_ham (604554)

      Tell me again how this whole issue with SSL is due to the nature of open source and how it's only the commie OpenSSL which can't be trusted...

      Seems to me Apple's got a bit of a quality control issue itself.

      What's Apple's excuse ?

      Apple's SSL implementation is also open source.

      Oh, sorry, I interrupted you in the middle of an uninformed Apple bash. Do carry on. My apologies.

      Their excuse is "open source means lots of eyes!" No wait, it's "whatever we do we'll be attacked, so we just dropped the ball and said 'fuck it'".

  • Snow Leopard (Score:3, Insightful)

    by Anonymous Coward on Tuesday April 22, 2014 @05:07PM (#46818343)

    I have a perfectly good MBP of early 2007 vintage running Snow Leopard which can't be upgraded, and it still does the job I need of it today. I can't bring myself to 'upgrade' to the modern MBP's as I hate the chicklet keyboard, so I'm swinging back to windows laptops (linux+windows) to avoid Apple abandonware in the future.
    For all the criticism Microsoft gets, at least they don't abandon semi-old stuff.

    • by koan (80826)

      Install Linux or Windows.

    • Re:Snow Leopard (Score:5, Informative)

      by jo_ham (604554) <(moc.liamg) (ta) (999mahoj)> on Tuesday April 22, 2014 @05:58PM (#46818691)

      An "early 2007 vintage" MBP can run Lion.

      If your machine is stuck on 10.6 then it's not "early 2007" but "early 2006".

      The youngest macbook pro that can't run anything later than 10.6 is the Early 2006 with the Core Duo CPU and 2GB RAM.

      Yeah, really "abandonware" there. *eyeroll*

      • by AmiMoJo (196126) *

        Lion doesn't have any PPC support, so might not be an option. Even if it is Lion runs very poorly on machines of that age, so would be a massive downgrade in terms of performance and productivity.

        Remember all the stick Microsoft got about "Vista compatible" machines that ran it like a dog? "Possible" and "advisable" or "practical" are different things.

        • by jo_ham (604554)

          That's true - if you need Rosetta support, you are stuck on 10.6. Most apps have x86-native binaries by now, but not all, especially if you have older, unsupported software. I guess for many people this will be Adobe CS1.

      • My Macbook Pro is from mid 2010. I stopped "upgrading" at Snow Leopard because that is when OS X went off the deep end. Snow Leopard itself actually annoys me with the "integrated app store" bullshit. I wanted a Unix based laptop with a semi-reasonable GUI and all I would have if I upgraded to the latest is an ugly IOS device doing everything it can to get me to buy shit.

        • by jo_ham (604554)

          My Macbook Pro is from mid 2010. I stopped "upgrading" at Snow Leopard because that is when OS X went off the deep end. Snow Leopard itself actually annoys me with the "integrated app store" bullshit. I wanted a Unix based laptop with a semi-reasonable GUI and all I would have if I upgraded to the latest is an ugly IOS device doing everything it can to get me to buy shit.

          Loving the hyperbole.

          OS X looks nothing like iOS. It has the launchpad, which is clearly derived from the iOS springboard, but using it is totally optional (I never do - I just launch apps the way I've been doing it since 10.1).

          OS X also doesn't "do everything it can" to get you to buy shit - using the App Store is optional for anything other than the core apps and OS. It's where you get core updates from (for the OS and built in apps), but it is far from the sole source of software, nor is it intrusive.

          I'm

    • when you try to put windows 8.1 on a 7 year old computer.
  • by Anonymous Coward

    Impact: An attacker with a privileged network position may capture
    data or change the operations performed in sessions protected by SSL
    Description: In a 'triple handshake' attack, it was possible for an
    attacker to establish two connections which had the same encryption
    keys and handshake, insert the attacker's data in one connection, and
    renegotiate so that the connections may be forwarded to each other.
    To prevent attacks based on this scenario, Secure Transport was
    changed so that, by default, a renegotiatio

IF I HAD A MINE SHAFT, I don't think I would just abandon it. There's got to be a better way. -- Jack Handley, The New Mexican, 1988.

Working...