“After Apple fixed the SSL bug in iOS, it’s unclear why three days have passed without an OS X fix after it was revealed by Reuters that the vulnerability was created by an error in a single line of code,” Ben Lovejoy reports for 9to5Mac.
“As the bug is in Apple’s SSL authentication code, it leaves a whole range of apps vulnerable, not just Safari,” Lovejoy reports. “Security researcher Ashkan Soltani (via Forbes) tested the apps installed on his own system and found that those vulnerable to the bug included Mail, Twitter, Facetime, iMessage and even Apple’s software update mechanism.”
Lovejoy reports, “Some conspiracy theorists were suggesting that Apple had introduced the bug deliberately for use by the NSA…”
Read more in the full article here.
“Apple on Friday pushed out an iOS fix for the SSL/TLS bug. The concerns of the Mac community shifted to the then still-missing patch for OS X,” David Morgenstern writes for ZDNet. “An Apple spokesperson said the fix was due very soon. That “soon” didn’t arrive on the weekend. Maybe Monday.”
“Lloyd Chambers at The Mac Performance Guide said it’s continuing evidence of ‘core rot,'” Morgenstern writes. “He’s had a special report up on the subject for quite a while. Chambers says that Apple appears to have plenty of engineers for “eye candy,” as well as, for screwing up usability, but not for security and testing.”
“I suggest that Apple’s top brass and corporate culture hasn’t caught up to the demands of its new role as a market leader. A number of years ago, I noted that Apple’s software engineering team was stretched to the limit by the release cycles of Mac OS and iOS. Engineers spent their energy working on one “side” (iOS) while bugs went unfixed on the Mac side. The software engineering was stretched thin,” Morgenstern writes. “Apple’s closed system keeps most OS X and iOS users safe. And there’s still a modicum of safety from the neglect of malware writers; most phishing attacks are done for Windows users. Still, the key to Apple’s strategy is that it can always execute on its OSes and applications. If it doesn’t, then we all sink together.”
Read more in the full article here.
“Sure would be interesting to know who added that spurious line of code to the file,” John Gruber writes for Daring Fireball. “Conspiratorially, one could suppose the NSA planted the bug, through an employee mole, perhaps. Innocuously, the Occam’s Razor explanation would be that this was an inadvertent error on the part of an Apple engineer.”
“Once the bug was in place, the NSA wouldn’t even have needed to find the bug by manually reading the source code. All they would need are automated tests using spoofed certificates that they run against each new release of every OS. Apple releases iOS, the NSA’s automated spoofed certificate testing finds the vulnerability, and boom, Apple gets ‘added’ to PRISM,” Gruber writes. “Or, maybe nothing, and this is all a coincidence.”
Read more in the full article here.
Related articles:
Single line of code, but still no fix; former Apple security engineer Paget to Apple: ‘FIX. YOUR. SHIT.’ – February 24, 2014
Apple promises to fix OS X encryption flaw ‘very soon’ – February 23, 2014
Behind iPhone’s critical ‘GotoFail’ security bug, a single bad, really bad ‘goto’ – February 22, 2014
Protect a Mac from the SSL / TLS security bug (until fix arrives) – February 22, 2014