Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Desktops (Apple) Portables (Apple) Security Apple

Apple To Review Software Practices After Patching Serious Mac Bug (reuters.com) 192

Apple said on Wednesday it would review its software development process after scrambling to patch a serious bug it learned of on Tuesday in its macOS operating system for desktop and laptop computers. From a report: "We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused," Apple said in a statement. "Our customers deserve better. We are auditing our development processes to help prevent this from happening again."

Apple To Review Software Practices After Patching Serious Mac Bug

Comments Filter:
  • by Anonymous Coward
    Was it an H1-B developer or something that was sent to India?
  • Holy shit (Score:3, Insightful)

    by nightfire-unique ( 253895 ) on Wednesday November 29, 2017 @01:28PM (#55644785)

    Not a Mac fan, but this is the most honest, respectable response to a mistake I've seen from a corporation in a long time.

    Props, Apple.

    • Re:Holy shit (Score:5, Insightful)

      by Ichijo ( 607641 ) on Wednesday November 29, 2017 @01:49PM (#55644931) Homepage Journal

      Talk is cheap. Let's see what the audit finds. And why did previous audits fail to find the flaw?

      • by sconeu ( 64226 )

        They're not auditing the code. They're auditing the process, to find the root cause as to why the software flaw wasn't detected.

      • Talk is cheap. Let's see what the audit finds. And why did previous audits fail to find the flaw?

        Because it requires a specific, multi-step process to trigger.

    • by reanjr ( 588767 )

      Given the perceived ineptitude required to create the problem, it's kind of the only response they can offer. Looking at their track record, Apple is probably the worst of the big three (OS X/Windows/Linux) in addressing security issues. That said, that still puts them way ahead of most application developers.

    • by shanen ( 462549 ) on Wednesday November 29, 2017 @02:07PM (#55645067) Homepage Journal

      Apple's response is just PR-driven BS, and your comment does NOT deserve the "insightful" moderation the shills and sakura gave it. The only insight from your comment is that you have minimal contact with Apple.

      Try and honestly criticize Apple in an Apple-controlled venue and you will find out what total lack of respect means in a profit-dominated context. For example, if you had tried to describe this rather horrendous security problem and gotten too negative, I predict you would have found your comment blocked. Based on my years of experiences involving a MacBook Pro (which I still use on a daily basis for certain tasks), I actually think Apple has automated the censorship using sentiment analysis of the draft comment. Or perhaps it's profile-driven by the secret dossiers they have on each of us?

      I could write a more substantive response on the topic, but here on Slashdot such a comment would merely be shouted down by pro-Apple fanbois with mod points to burn. Not worth the time, though I will donate a few seconds for a rerun of the capsule version:

      Capitalism and communism are dead. Our new religion is corporate cancerism. There is no gawd but profit, and Apple is gawd's chief prophet.

      • Apple's response is just PR-driven BS, and your comment does NOT deserve the "insightful" moderation the shills and sakura gave it. The only insight from your comment is that you have minimal contact with Apple.

        Try and honestly criticize Apple in an Apple-controlled venue and you will find out what total lack of respect means in a profit-dominated context. For example, if you had tried to describe this rather horrendous security problem and gotten too negative, I predict you would have found your comment blocked. Based on my years of experiences involving a MacBook Pro (which I still use on a daily basis for certain tasks), I actually think Apple has automated the censorship using sentiment analysis of the draft comment. Or perhaps it's profile-driven by the secret dossiers they have on each of us?

        I could write a more substantive response on the topic, but here on Slashdot such a comment would merely be shouted down by pro-Apple fanbois with mod points to burn. Not worth the time, though I will donate a few seconds for a rerun of the capsule version:

        Capitalism and communism are dead. Our new religion is corporate cancerism. There is no gawd but profit, and Apple is gawd's chief prophet.

        Why use so many words? You could have packaged all that into a single sentence:

        Blasphemy!! Summon the Holy Inquisition !! BUUUUUUURN THE HERETIC!!!

        • by shanen ( 462549 )

          If you can't understand what I wrote and actually want to, please feel free to ask for clarification.

          If you can't understand what I wrote and don't want to, that's certainly your prerogative.

          If you have nothing to say, why don't you just say nothing?

          Let me check again. Yes, rereading your so-called reply and making suitable allowances for your poor writing, I can confirm that there is nothing there that has any relevance to anything I wrote. FYI.

    • Not a Mac fan, but this is the most honest, respectable response to a mistake I've seen from a corporation in a long time.

      Props, Apple.

      I agree.

    • I'll save my judgement until we see an end to issues like this or "goto fail" after a few years. It was the correct response, but it's easy to say anything that you think people want to hear.

      Do you think Apple even does integration or regression testing? I can't imagine "goto fail" would have slipped past if they were, because that's about the most basic "is the functionality working" test you'd start with. That seems like a good place to start.

      • Sorry to disagree, if your system has a 'deactivated root sccount' and if you still can log on to it, is probably the least thing anyone is considering to test. Especially in a regression test.

        When and how and why did such a vulnarability got introduced? How often do you want your test(er) to click the unlock button?

        • That's why I specifically mentioned the "goto fail" issue. That tiny bug completely broke SSL/TLS. How could they not be testing basic functionality like that before it's released?

          I'll grant that this particular situation might not have been tested, although to me, testing with root and a blank password seems fairly obvious. But this seems like a more widespread problem for Apple and how they test (or don't test) basic functionality. And I'm not talking about using human testers. This should be 100% au

          • Not a good example.
            SQLlite, as any data base, can be tested 100% automatically.
            To log on with no passwd as root, you first have to come to the idea that this might even be possible.
            On the other hand you can easy automate that the passwd file (or shadow passwords) have a password for root.
            I actually never came to the idea to log on as root via the gui. But I never needed to.

  • by cstacy ( 534252 ) on Wednesday November 29, 2017 @01:31PM (#55644805)
    You're releasing it wrong.
  • That's what I call courage
  • by darth dickinson ( 169021 ) on Wednesday November 29, 2017 @01:35PM (#55644849) Homepage

    This was posted as recently as November 13, as a "solution" to an issue of not having an administrative account: https://forums.developer.apple... [apple.com]

  • by ZorinLynx ( 31751 ) on Wednesday November 29, 2017 @01:48PM (#55644925) Homepage

    There's all kinds of cosmetic and usability bugs floating around, and Apple doesn't seem to be in a hurry to fix them. They're the kind of bugs that aren't showstoppers but are still very annoying or can result in bad data.

    The Calculator bug in iOS is one example of a recent bug that can produce bad data and wasn't fixed. Until iOS 11.2 (which isn't out yet!) even though it was reported way back in 11.0 beta, before the OS was released to the public.

    Another recent issue, though less important, is that the Weather widget will randomly stop updating, so you'll be seeing last night's weather instead of right now. This bug was also reported several versions ago and is as of yet unfixed in the latest 11.2 beta.

    I know bugs happen; nobody is perfect. But these are obvious, reproducible bugs that are not being fixed after being reported months prior. What the hell, Apple?

    • There's all kinds of cosmetic and usability bugs floating around, and Apple doesn't seem to be in a hurry to fix them. They're the kind of bugs that aren't showstoppers but are still very annoying or can result in bad data.

      The Calculator bug in iOS is one example of a recent bug that can produce bad data and wasn't fixed. Until iOS 11.2 (which isn't out yet!) even though it was reported way back in 11.0 beta, before the OS was released to the public.

      Another recent issue, though less important, is that the Weather widget will randomly stop updating, so you'll be seeing last night's weather instead of right now. This bug was also reported several versions ago and is as of yet unfixed in the latest 11.2 beta.

      I know bugs happen; nobody is perfect. But these are obvious, reproducible bugs that are not being fixed after being reported months prior. What the hell, Apple?

      Oooh, how horrible!

      A UI bug in the free Calculator App, and an Update bug in the Weather Widget?

      Seriously?

      Now, let's compare that against Windows and Linux, shall we?

      • The thing is I agree with you; the bugs aren't show stoppers. I even mentioned that in my original comment.

        But this is evidence that Apple's attention to detail is not what it used to be. These sort of bugs didn't exist prior to iOS 7. I've been using iOS since version 3, and right around the time of iOS 7 there was a noticeable drop in QC which persists to this day.

    • My big gripe is that they fail to acknowledge bugs as such: their miserable implementation of SMB, and eliminating FTP and Telnet clients are my two biggest gripes. They are really burning bridges with this crap.

      • Yeah, I agree. I don't think it's really an Apple problem, which is why I think they can get a away with it, but a more general "developer" problem. A lot of developers seem to spend endless amounts of time trying to develop new cool features, or else shuffling the UI around, but they don't actually fix some of the very real and fundamental problems that people have.

        Working in IT, it's just endless. There are tons and tons of problems with every product that I deal with where it's needlessly complicated

    • by cyn1c77 ( 928549 )

      What the hell, Apple?

      Dear Peon,

      We're sorry for your inconvenience. We are aware of these "features" and will address them as we feel like it.

      In the meanwhile, please feel free to purchase 3rd party apps to solve your needs.

      We will appreciate the profit that we make off of your purchases.

      Sincerely,
      Apple Customer Service

  • True enterprise level bugs, only from Apple

  • Give 'em a break, they've only been developing software for 40 years

  • My bet is Apple's audit will find their development practice was followed. And then QA teams will have to reinspect why this wasn't caught in UAT. The security team will have to evaluate why their scanning tools did not pick this up. And then the dev team will have to find out why there wasn't a unit test to catch this before mainline checkin.
  • by Joe_Dragon ( 2206452 ) on Wednesday November 29, 2017 @02:15PM (#55645155)

    Now dump the thin is king hardware devs! and get some real workstations. IMAC pro no ram door come on it's not that hard!

  • I totally agree that waterfall planning for software doesn't make sense, but IMO neither does Features Features Features, 10 deploys a day, release now/patch later, and all the other things we've gotten as the pendulum shifted all the way to the other side. I'm on the Windows side of the fence and it's been an interesting couple of years watching them run through release release release and gradually slow it down a bit as they see quality dropping.

    Operating system or application code, running on machines pe

  • by jmichaelg ( 148257 ) on Wednesday November 29, 2017 @03:15PM (#55645651) Journal

    IOS has a "feature" that the OS pops up a request for your Apple ID credentials at random times. Open Pandora and you'll get a popup. Open pretty much anything and the popup appears. There's no provenance to the pop up so you don't know what part of OS is asking for the credentials or why. Backup works without answering the request as you can be signed into iCloud and still get the pop up.

    My response is to dismiss the pop up and continue with what I'm doing but it's a PITA. A naive user will enter their credentials in the hope the "feature" is mollified which it sometimes isn't.

    The correct way for IOS to ask for the credential is for the popup to say "Open Settings/icloud ( or whatever) and enter your AppleID." Settings would second the request by posting a little icon indicating there's a response pending ala a text message. An animation within settings would guide the forgetful user if the path is more than one level deep in settings so they'd navigate to the proper IOS setting to satisfy the pop up.The point of all that is you know you're talking to Settings when you provide credentials.

    The current scheme is ripe for an app to steal your Apple ID. Write an app that does something kind of useful, wait for the 10th, 20th, run and pop an identical pop up that looks just like the OS popup. The user can't tell if it's the app or IOS asking and enters their credentials. Voila, you have access to the user's Apple ID. A little more elided hacking will circumvent 2 factor if it's enabled.

    Too much water has gone under the bridge that I guess an obvious attack is new again.

  • Something's fishy about the "auditing our development processes" response. Maybe somebody was deliberately trying to slip in a back door?
  • We greatly regret this error and we apologize

    Of course they do. What company would not copy/paste the security breach boilerplate in such a situation? It could even be automated: if +"security flow" +apple yields something in the news, send the press release.

  • We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better...

    But don't be fooled: one thing Apple remains firm on—Apple's customers don't deserve software freedom [gnu.org]. Apple will continue to pursue its walled garden, ever restrictive practices built around DRM, proprietary software, app store censorship, and so on (see more about how Apple's malware adversely affects its users [gnu.org]). The latest insec

Mathematicians practice absolute freedom. -- Henry Adams

Working...