Apple promises to fix OS X encryption flaw ‘very soon’

“Apple Inc said on Saturday it would issue a software update ‘very soon’ to cut off the ability of spies and hackers to grab email, financial information and other sensitive data from Mac computers,” Joseph Menn reports for Reuters.

“Confirming researchers’ findings late Friday that a major security flaw in iPhones and iPads also appears in notebook and desktop machines running Mac OS X, Apple spokeswoman Trudy Muller told Reuters: ‘We are aware of this issue and already have a software fix that will be released very soon,'” Menn reports. “Apple released a fix Friday afternoon for the mobile devices running iOS, and most will update automatically.”

“The intruders do need to have access to the victim’s network, either through a relationship with the telecom carrier or through a WiFi wireless setup common in public places,” Menn reports. “Industry veterans warned users to avoid unsecured WiFi until the software patch is available and installed.”

Read more in the full article here.

Related articles:
Behind iPhone’s critical ‘GotoFail’ security bug, a single bad, really bad ‘goto’ – February 22, 2014
Protect a Mac from the SSL / TLS security bug (until fix arrives) – February 22, 2014

30 Comments

  1. “The intruders do need to have access to the victim’s network, either through a relationship with the telecom carrier or through a WiFi wireless setup common in public places,” Menn reports.

    Wasn’t there a bunch of articles last week about how insecure most home and “free” wireless access points are? If they have a fix I’d suggest they get off their asses and get it distributed (the OSX fix). Maybe the color of the fix has to be passed by Ive or something.

    1. Maybe it needs to be thoroughly tested to make sure that they didn’t break something else with the new fix. Maybe you’ve never developed any software before, and don’t have a clue what’s involved.

      1. I’ve been writing code for over 30 years, but I don’t think you can count that high. Have you actually seen the piece of source code involved? I have.

        At the very least there should have been an email to every single customer with a registered, affected device telling them what was safe and what wasn’t (and what’s true out there and what’s BS). They didn’t seem to have any problem patching iOS nearly INSTANTLY. Another fine mess up in handling what’s really just a simple bug. Good going Apple management. Yeah, you really are all engineers at heart.

        The sales people are in the building. (For those of you who can’t count to 30 that’s a reference to Steve Jobs saying, “Look who’s in charge of Microsoft.”)

        1. If you’ve really been writing code for 30 years, Bob, I’d suggest you try not sounding like a petulant 14-year-old. Get a grip. Oh noooo, Apple sometimes makes a mistake, and sometimes they handle something badly.

          And really doesn’t EVERYBODY who is not a complete neophyte know that no system is 100% secure. You also need to be protecting any information you have that is actually sensitive. E.g. by not sending your bank account password over the open Wi-Fi access you found while walking downtown.

          1. Agreed.
            For the record, I don’t think Apple made a mistake in the way they handled this. They are responding to a problem that, so far, hasn’t caused any problems at a fast and responsible speed. IOS update wasn’t updated INSTANTLY as bob says and they announced that a Mac OS (a more complexed OS) update is coming very soon.

            Apple, unlike others, has taken the responsible steps in building OS’s that update quickly, easily, and automatically if users choose to. It doesn’t get any more responsible than that.

        2. Hello bob, I can count to 30. I’ve actually been programming professionally for nearly 50 years. Yes, I started on an IBM 360 with SPS, Fortran, and COBOL, as well as native machine code. I went on to learn and program in BASIC, C++, Ruby, Python, SQL, etc. These weren’t projects in my mom’s basement. They included data collection systems with millions of end points, running servers on Unix, and clients on Windows. Before applying new releases of the application software on those systems we had a testing application with scripts involving thousands of iterations of testing scenarios for every aspect of the application, from database querying to security. There’s a difference between shoot-from-the-hip, cowboy operations and formal testing and version management environments. Things don’t happen overnight, even when you are working 24/7.

            1. Funny, you didn’t capitalise Bob’s name. I used just such a subtle dig a fortnight past, reacting to an overreaching New Yorker blogger.

              Impressive road map, Zeke. You know, it can be tiresome, constantly having to learn new languages and protocols. Thank God for the invention of the laptop, which allowed me to study such developments on long plane trips. As it happens I am only just starting on Python, a version of which comes with OS X. Looks fun.

              Python resonates in Greek mythology, and the Priestess of the Oracle at Delphi is named Pythia, sort of my alter ego.

              Interesting that “Bob’s” excellent joke about Jony Ive slipped the radar in the “been there, done that” pissing contest.

            2. Yes! How dare you, Zeke! Have an actual background to talk from! Specify that background, so we know you’re not just some dick, spouting off! Horrors.

              You’d better learn to post properly:
              – Just say things without justifying them.
              – Be especially intense on topics you actually don’t know anything about.
              – Don’t stay on the issue of the article. Write about whatever you feel like.
              – Use insults, name calling and obscenity for at least 50% of the volume of your post.

            3. Uhhh, no. If you pay attention, you should be able to discern a real difference in style, like me doing something that Zeke would not do – viz. call you a sanctimonious prick.

            4. Have you considered registering at MDN? The place greatly benefits from contributions such as yours. A self-policing forum is generally the best at abating flame wars and exposing manipulative trolls. This advances reasonable discourse and provides a more sheltered cradle of ideas, of the sort the human race requires to fend off barbarianism and advance to a higher level of consciousness. No pressure, though.

            5. re
              “Have you considered registering at MDN?”

              I don’t understand how there would be any benefit to doing so. There seems to be just about no supervision of the mindless, vitriolic drivel that is so often posted. And registered or not, I can express what I think of it. Is there something I’m missing?

              By the way, Zeke – I appreciate hearing about your background (and you others who have done similarly). I find it interesting not only in terms of backing up a particular statement, but also in terms of generally knowing the DEPTH of knowledge behind your posts.

              To any trolls thinking to emulate Zeke… don’t bother. Somebody will quickly realize you’re talking nonsense!

  2. I’m hanging onto the documentation of this situation as a great illustration of how to present a security flaw poorly to the public.

    I’m also going to, at this point, keep my trap shut about it until ALL the relevant, actual details are made public. At this point I feel like I’m attempting to listen and talk inside a rumor machine, where no one has any idea what’s imaginary and what’s source information.

  3. The flaws in Mavericks underscore my comments, and those of others, here and on other sites about what happens when there is poor quality control and testing. The twisted logic of producing a new OS every year, regardless of whether it’s ready or not, makes no sense, especially to 3rd party vendors who are furious about the constant need to re-write code every year. Anyone who denies that Mavericks is without flaws is either delusional or living in another universe, as its problems are well documented. These are usually the same Apple Fanboys who claim the new iWork is a suitable replacement for MS Office: Not in the real world of business and education. Tim Cook’s real focus at Apple has been and continues to be on the iPhone and iPad. When will the Board of Directors realize his lack of commitment to quality software for users who are interesting in productivity, not music, not photographs, not books, or other in vogue and temporary baloney?

    1. If they patched iOS 6 (and they did) the mistake happened a year before iOS 7 and Mavericks were released. I hate the new iWork as much as anyone, but it’s not related to this issue. If this flaw were as obvious as some are claiming, somebody would have discovered it many months ago. It’s only dangerous now because it has become common knowledge before a fix is available.

    2. If they patched iOS 6 (and they did) the mistake happened at least a year before iOS 7 and Mavericks were released. I hate the new iWork as much as anyone, but it’s not related to this issue. If this flaw were as obvious as some are claiming, somebody would have discovered it many months ago. It’s only dangerous now because it has become common knowledge before a fix is available.

  4. re
    “Anyone who denies that Mavericks is without flaws is either delusional or living in another universe, as its problems are well documented.”

    I’d suggest anyone who expects any software to be without flaws, especially one as huge as an operating system, is either delusional or living in another universe.

  5. Apple Corporation probably has to run forensics and software development logs to see how the closed loop got past the testing process. I’d point a finger at the intelligence community, since they boasted they could get into any Apple mobile device at will and the USAF bought 5,000 Apple devices to replace their Blackberries. I’m sure they don’t want NSA looking over their shoulders too.

    Perhaps Apple can get a logo that says “No NSA Inside” to put on all non-Intel chips made in-house by Apple?

    And how ironic that “Intel” is the name of a chip company in bed with the NSA? Who says the spy business doesn’t have a sense of humor?

    1. It would be naive to not at least suspect the NSA was involved in this “typo” in Apple’s code, given their track record sabotaging internet security measures of major companies.

      This main effect of this security flaw, after all, is that it makes easier to eavesdrop on user’s Internet activity.

  6. So wait a minute: My Mac mini is hardwired to the Internet through an Ethernet cable connected to my Airport Extreme, and the WiFi is turned off. I only use WiFi for my portable devices and things in other rooms, like game consoles and the Apple TV. So since my Mac isn’t using WiFi, is it safe?

    ——RM

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.