Apple Fixes Major SSL Bug In OS X, iOS 96
Trailrunner7 writes: "Apple has fixed a serious security flaw present in many versions of both iOS and OS X and could allow an attacker to intercept data on SSL connections. The bug is one of many the company fixed Tuesday in its two main operating systems, and several of the other vulnerabilities have serious consequences as well, including the ability to bypass memory protections and run arbitrary code. The most severe of the vulnerabilities patched in iOS 7.1.1 and OSX Mountain Lion and Mavericks is an issue with the secure transport component of the operating systems. If an attacker was in a man-in-the-middle position on a user's network, he might be able to intercept supposedly secure traffic or change the connection's properties."
Also fixed in Lion (Score:3)
Also fixed in Lion, according to the link, for those of us still using older Macs.
Re: (Score:3)
What about iOS 6? There's still a lot of older iPhones out there.
Re: (Score:2)
Re: (Score:2)
iOS6 did receive a patch about another SSL vulnerability a few months back, I think.
What I'm hoping for is for Apple to enable FaceTime Audio for the iPhone 3G and iPhone 3GS. All this talk about Earth Day is nice, but what's really helpful for users and the environment is to use older devices longer before recycling them.
Re: (Score:2)
Only for older iPods/iPhones. If your device is capable of running 7, you will not have the 6.x upgrade available.
Not a open source issue. (Score:3, Insightful)
Tell me again how this whole issue with SSL is due to the nature of open source and how it's only the commie OpenSSL which can't be trusted...
Seems to me Apple's got a bit of a quality control issue itself.
What's Apple's excuse ?
Re:Not a open source issue. (Score:5, Insightful)
Re: (Score:3, Insightful)
But the bug probably is heartbleed. They're just not disclosing that they were affected.
Re:Not a open source issue. (Score:5, Informative)
It's a MITM attack. Heartbleed is not MITM.
Re: (Score:2)
Re: (Score:2)
But the bug probably is heartbleed. They're just not disclosing that they were affected.
What do you mean by "they were affected"? Only _servers_ were affected by the "heartbleed" bug. Apple was lucky enough that its major services (App Store, iTunes, iCloud) didn't use OpenSSL.
Re: (Score:2)
Not sure it's luck, since Apple went out of its way to replace OpenSSL in 2011 [appleinsider.com] because they didn't think it was secure enough. (Granted, their own replacement wasn't perfect, either, as seen by both this and the "goto fail" bug.)
Re: (Score:3)
Re: (Score:3)
Only _servers_ were affected by the "heartbleed" bug.
Wrong.
Errr... (Score:2)
Re: (Score:2)
You know, information like that should really be in the article.
Oh wait.
Re: (Score:2)
How do you figure? This bug is specific to MITM attacks from an attacker on one's on network, has nothing to do with the heartbeat functionality that Heartbleed relied on, and the nature of the attack is that the attacker can execute arbitrary code, change the properties of the connection, or get data traveling over the network, rather than merely being able to access random 64K bits from memory. This is something wholly separate from Heartbleed, and likely ties back in with the ongoing security audit they'
Re: (Score:2)
decided posting instead of modding you down, since you may not know that Apple does not use OpenSSL, therefore you are just wrong.
Re: (Score:2)
Tell me again how this whole issue with SSL is due to the nature of open source and how it's only the commie OpenSSL which can't be trusted...
Seems to me Apple's got a bit of a quality control issue itself.
What's Apple's excuse ?
Apple's SSL implementation is also open source.
Oh, sorry, I interrupted you in the middle of an uninformed Apple bash. Do carry on. My apologies.
Their excuse is "open source means lots of eyes!" No wait, it's "whatever we do we'll be attacked, so we just dropped the ball and said 'fuck it'".
Re: (Score:2)
Executing arbitrary code is how the jailbreaks work. They exploit some weakness to patch the system, removing a few safeguards in the process (that's why there are some viruses out there that only affect jailbroken iOS devices).
Snow Leopard (Score:3, Insightful)
I have a perfectly good MBP of early 2007 vintage running Snow Leopard which can't be upgraded, and it still does the job I need of it today. I can't bring myself to 'upgrade' to the modern MBP's as I hate the chicklet keyboard, so I'm swinging back to windows laptops (linux+windows) to avoid Apple abandonware in the future.
For all the criticism Microsoft gets, at least they don't abandon semi-old stuff.
Re: (Score:2)
No, I've got a 2008 Mac Mini that was updated to Snow Leopard, and I haven't seen any updates for awhile. Newegg also wouldn't let me order using the Mini because of the older version of Safari that runs on SL.
If I upgrade to 2G of RAM, it looks like I can upgrade to Lion, but not Mountain Lion. I was going to upgrade the RAM anyway because it seems to run a bit sluggish, but the Mini maxes out at 2G, which is the lower limit of Lion. So it may be a wash, performance-wise.
Re: (Score:2)
So you have a six year old machine that was the lowest specs you could buy at that time. Your surprised you can't run the latest and greatest???
Re: (Score:2)
Re: (Score:2)
Depends on what you mean by "artificial". If it runs like molasses on less than 2GB or RAM and an ancient processor then limiting it to newer hardware is a reasonable choice.
Re: (Score:3)
Here's an interesting point similar to what someone posted down below.
In my basement I have a SUN X4500 Storage server (circa 2007) and it is currently running Solaris 11.1 without issues. The system has two "ancient" AMD Opteron's but since little has changed in terms of processor instruction sets they run fine.
So this is a system from 2007 running an OS released in 2011 and supported until 2024. Heck, I might upgra
Re: (Score:2)
Unless it's slightly earlier than he thinks and is a Core Duo instead of a Core 2 Duo. Then there is the RAM requirement. Comparing support lifetime for a server OS and Hardware to a Mac Mini running a desktop OS is ridiculous.
Re: (Score:2)
They also say a 2009 or later mini, does the small difference in processing powre really make a difference then?
Re: (Score:2)
It's not just processing power. Some of the earlier processors are not fully 64bit and some have limitations on the memory they can address.
Re: (Score:1)
Re: (Score:2)
Windows Vista still receives security patches, which was released in 2007. Most computers of that age will install W7 fine, though you might want to bump the RAM if you want it to be enjoyable. XP was supported with patches for over a decade. Apple locks you into expensiev hardware and wants you to buy new every few years,
Re: (Score:2)
And Windows 7 was released when??? Mavericks was released a few months ago. The versions of OS X that were released around that time are still receiving security updates too and will still run fine on six year old hardware. The issue here is Mavericks is 64bit only and it makes some assumptions on the hardware. Nothing different here. Would you rather they did what MS did with Windows 8 and certify hardware they knew would run like crap?
Re: (Score:1)
I was pretty sure that Vista was EOL'd already. W7 is scheduled for next year. Win8 is ended this year, all of course as far as "free" patches go.
Snow Leopard was still getting patches until Mar 2014. As for it being on sale, it's only there as a gateway for pre- Snow Leopard systems to get to Mavericks, however small that number may be. It's also a way to run PPC software on newer macs via Parallels or the like. Yes you can run that (accidentally) free copy of Adobe PS 2 you downloaded.
Re: (Score:1)
VAX/VMS supported into late 1990s (Score:1)
Sadly, VMS support for VAX ended around 7.1 or 7.3 or something - it was in the late nineties. But every alpha ever made (at least "that ever ran VMS in the first place") can run the latest version.
All UltraSPARCS can run solaris 10.X. Hardware from this millenium is required for Solaris 11.X (more or less). Pre-Ultra machines are kind of limited - A microsparc machine (sparcStation 5 and similar) is supported on 2.9, but unless you max out the RAM you're better off at 2.8. Sparcs with VME busses (4/110
Re: (Score:2)
Looks like it's the opposite to me. He's complaining that he's forced to purchase upgrades to the latest and greatest major versions of his OS, and purchase hardware that it says it will run on, just for a security patch.
Re: (Score:1)
Re:Snow Leopard (Score:4, Informative)
If I upgrade to 2G of RAM, it looks like I can upgrade to Lion, but not Mountain Lion. I was going to upgrade the RAM anyway because it seems to run a bit sluggish, but the Mini maxes out at 2G, which is the lower limit of Lion. So it may be a wash, performance-wise.
No, it will be a huge step backwards. Do not, under any circumstance, install Lion if you can possibly avoid it. Not only is 2GB not enough to run Lion in any reasonable manner, but even if you have more RAM than that, Lion is a molasses sucking pig. The last OS for any hardware I used that was that bad and that much of a step backwards from what came before it was... umm... Wow, can't think of one. Lion wins. Or, actually, loses.
Installing it was the worst single decision I've made regarding Apple software on my early 2008 MacBook Pro. I even did a clean install from official Apple USB media (i.e. the USB fob you had to pay extra for instead of just downloading it) and upgraded RAM to 4GB on account of Lion. Take it from myself and several of my coworkers who regretted every getting within 100 feet of Lion that it is best avoided. Mountain Lion didn't suck, but only by comparison to Lion. Mavericks is a little bit better yet, but still not nearly as snappy as Snow Leopard.
My gut reaction: Don't worry about Snow Leopard being out of date, even security-wise. A man-in-the-middle is rare in most environments, and Snow Leopard is already quickly diminishing in market share, so it's not terribly likely to be widely exploited. Compared to the every day pain you'll cause yourself by installing Lion or later, the tiny risk profile of running a vulnerable Snow Leopard is worth it, in my opinion.
Re: (Score:2)
Everyone has different experiences. I never had problems with Lion (mid-2011 MBA), but I saw enough people complaining that I won't doubt you. On the other hand, I could never go back to Snow Leopard after Mountain Lion, and especially not after Mavericks.
Re: (Score:1)
On the other hand, I could never go back to Snow Leopard after Mountain Lion, and especially not after Mavericks.
Why? (I'm honestly curious)
Note: I'm running SL, ML, and Mavericks, and I have to say, SL is the most stable, followed by Mavericks, ML is "ok", and my brief experience with Lion was only because ML came out and I decided to jump directly to it even though I had had a Lion disk for a year. (Yes, the "bad" stories made me hold off long enough for the "fix" to come out.)
I'm still not 100% happy with the effects of Grand Central, only because the stability has not been returned to SL standards. However, Ma
Re: (Score:2)
Re: (Score:2)
There is no such thing as a 2008 Mac Mini, you probably got a Mid 2007 Mac Mini which runs up to Mac OS X 10.7.5 which is still supported and can actually take up to 3GB of memory (2GB was the maximum configuration by Apple).
If you want to, you can install Linux on the machine. I don't know why NewEgg would crap out on the browser because that Safari supports common versions of ECMAScript and HTML5, try Firefox otherwise.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
You're right; it's a 2007 model purchased in 2008. The point is, it can't run anything beyond 10.7 (without limited workarounds), and 10.6 is not getting any updates. My point was that Snow Leopard isn't getting any updates, and older hardware is limited as to what you can upgrade to.
It seems to be a shame that hardware that can last for 6+ years has to be abandoned because the OS is no longer supported.
Re: (Score:2)
To be fair, that's a 7yo computer... What's the rightlifetime so an os doesn't count as abandon ware? They still do snow leopard updates I think.
Do we apply that same logic to Windows XP?
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Install Linux or Windows.
Re:Snow Leopard (Score:5, Informative)
An "early 2007 vintage" MBP can run Lion.
If your machine is stuck on 10.6 then it's not "early 2007" but "early 2006".
The youngest macbook pro that can't run anything later than 10.6 is the Early 2006 with the Core Duo CPU and 2GB RAM.
Yeah, really "abandonware" there. *eyeroll*
Re: (Score:2)
Lion doesn't have any PPC support, so might not be an option. Even if it is Lion runs very poorly on machines of that age, so would be a massive downgrade in terms of performance and productivity.
Remember all the stick Microsoft got about "Vista compatible" machines that ran it like a dog? "Possible" and "advisable" or "practical" are different things.
Re: (Score:2)
That's true - if you need Rosetta support, you are stuck on 10.6. Most apps have x86-native binaries by now, but not all, especially if you have older, unsupported software. I guess for many people this will be Adobe CS1.
Re: (Score:2)
My Macbook Pro is from mid 2010. I stopped "upgrading" at Snow Leopard because that is when OS X went off the deep end. Snow Leopard itself actually annoys me with the "integrated app store" bullshit. I wanted a Unix based laptop with a semi-reasonable GUI and all I would have if I upgraded to the latest is an ugly IOS device doing everything it can to get me to buy shit.
Re: (Score:1)
My Macbook Pro is from mid 2010. I stopped "upgrading" at Snow Leopard because that is when OS X went off the deep end. Snow Leopard itself actually annoys me with the "integrated app store" bullshit. I wanted a Unix based laptop with a semi-reasonable GUI and all I would have if I upgraded to the latest is an ugly IOS device doing everything it can to get me to buy shit.
Loving the hyperbole.
OS X looks nothing like iOS. It has the launchpad, which is clearly derived from the iOS springboard, but using it is totally optional (I never do - I just launch apps the way I've been doing it since 10.1).
OS X also doesn't "do everything it can" to get you to buy shit - using the App Store is optional for anything other than the core apps and OS. It's where you get core updates from (for the OS and built in apps), but it is far from the sole source of software, nor is it intrusive.
I'm
Let me know how it goes (Score:2)
Re: (Score:2)
Not related to hearthblled (Score:1)
Impact: An attacker with a privileged network position may capture
data or change the operations performed in sessions protected by SSL
Description: In a 'triple handshake' attack, it was possible for an
attacker to establish two connections which had the same encryption
keys and handshake, insert the attacker's data in one connection, and
renegotiate so that the connections may be forwarded to each other.
To prevent attacks based on this scenario, Secure Transport was
changed so that, by default, a renegotiatio
Re: (Score:2)
Irrelevant, since the issue is the client implementation.
Re: (Score:2)
Because OSX uses Apple's SSL implementation?
Re: (Score:2)
No, it's irrelevant. Noone uses OS X server in a datacenter as their client PC. The web server that OS X uses in the server context is Apache - so... OpenSSL.
Re: (Score:2)
Re: (Score:1)
Most Amerikins do not realize that the gender neutral form is 'one', as in anyone, no-one, someone, or 'body', as in somebody, anybody and nobody. If everyone would realize that one could use one instead of he, she or it, then the gender issue in politically correct speak would largely go away.
The use of "one" when attempting to be PC regarding gender is offensive to conjoined twins. Especially conjoined fraternal twins and conjoined identical twins where one twin is transgendered.