Kristin Paget, former Apple security engineer, has posted the following via Kristin Paget’s Blog:
Okay, so iOS 7.0.6 happened – the short version is that Apple broke SSL. Oops. Oh well, it happens, apply the patch yadda yadda yadda.
What didn’t happen was the corresponding OS X patch. At least not yet.
WHAT THE EVER LOVING F**K, APPLE??!?!! Did you seriously just use one of your platforms to drop an SSL 0day on your other platform? As I sit here on my mac I’m vulnerable to this and there’s nothing I can do, because you couldn’t release a patch for both platforms at the same time? You do know there’s a bunch of live, working exploits for this out in the wild right now, right? Your advisory is entirely focussed on iOS so we know nothing of OS X yet (other than the fact that the exploits work) – could you tell us what in OS X is vulnerable? Is mail.app vulnerable? Should I be worried about malicious SSL/TLS mailservers? How about your update system itself – is that vulnerable?
Come the hell on, Apple. You just dropped an ugly 0day on us and then went home for the weekend – goto fail indeed.
FIX. YOUR. SHIT.
Love and hugs as always,
Source Kristin Paget’s Blog
MacDailyNews Take: No arguments here.
Every second that passes without a fix that removes one line of code just makes you look that much more incompetent.
1. Highlight second “goto fail;” and press “delete” key
2. Release security update
3. There is no step 3.
Even if the fix is more involved than our humorous example above, this has already taken too long. Ever get the feeling that of Apple’s 80,000 employees, only about 5 are actually allowed to do any of the real work? Why does the world’s most valuable company always seem to be stretched too thin?
Reasons for delay in SSL fix to OS X unclear as a single line of code found responsible – February 24, 2014
Apple promises to fix OS X encryption flaw ‘very soon’ – February 23, 2014
Behind iPhone’s critical ‘GotoFail’ security bug, a single bad, really bad ‘goto’ – February 22, 2014
Protect a Mac from the SSL / TLS security bug (until fix arrives) – February 22, 2014