back to article Update your Mac NOW: Apple fixes OS X 'goto fail' SSL spying vuln

Apple has released OS X 10.9.2 which, you'll be delighted to know, improves the "accuracy" of the unread message count in Mail, and fixes the autofill feature in Safari among other little tweaks. It also just so happens to snap shut a gaping security vulnerability that potentially allowed hackers to hijack users' bank accounts …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    For users fearing their passwords and bank account details were about to be put in the hands of crooks, that wait felt like an eternity. [citation needed]

    1. Anonymous Coward
      Facepalm

      Why would a citation be needed?

      Millions of Macbooks were wide open to exploit. What sheeple in their right minds wouldn't be worried sick?

      Probably had to drink an extra tall caramel mocha frap to get over their jitters.

  2. Pete Spicer
    Boffin

    Perhaps it's an argument for always using { and } to indicate scope of an if statement even if the branch generated is only a single line. I'm not a fan, I only have so many of the { and } in stock, but perhaps I should order some more too...

    1. Havin_it
      Alert

      Or an argument for disabling copypasta in code editors ;)

      I've always tended to use braces even when not strictly needed; not for this reason per se, I suspect it was because I once used an editor that didn't auto-indent unless I'd opened a brace first or something. It just stuck. Oh, and of course if your indents get fucked up somehow, if everything's braced it's easier to spot a brace mismatch (provided your editor does brace-pair highlighting).

      Mostly though, I just like the pleasing "flight of geese" that comes at the end of a really deeply-nested set of loops ;)

      1. Anonymous Coward
        Pint

        Lovely image, "flight of geese" - cheers!

        I shall go "hoooonk! hooooonk" at the next one I set free :-)

        But some bright soul suggested that it's less likely to have been copypasta than somebody not vetting an automatic three-way merge. Perforce used to get it mostly right, tempting me to just submit, go home, and see what if the test results looked good in the morning - but once-in-a-while it would get confused by adjacent changes in the mergees and end up with a partial duplicate like this.

        I'm more worried that "unreachable code" is routinely disabled - it's a PITA to have to "#ifdef _DEBUG" or "(void) someParamThatOnlyGotUsedForLogging;" but there aren't many warnings that don't save your butt someday like this.

        1. PJI

          code merging

          I know that Subversion and Git seem to think that code merging is the be all and end all of version control systems and even discourage file locking on check out for editing, in the naive belief that all workers talk to each other and sit at adjacent desks, so it is right and proper for two people to work on the same file simultaneously (makes me think too much work by different authors is in a single file).

          But really, I recall that systems that provided code merging (that I did try a couple of times) used to come with the caveat that automatic code merging is a bad idea, at least of merging versions from two different people - all these wonderful methodologies and tools for designing and writing code buggered by the most basic fallacies: that working in parallel on the same file and automated merging are good ideas.

          I've seen it tried with Perforce and Subversion (only once by me, what a waste of time) and seen it cause near disaster every time. Anything beyond the most trivial and carefully read and reread by another engineer is just horrible.

          Just use discipline, reinforced by file locking and a proper code review systems. Same goes for documentation by the way.

          In this case, the indentation would have made it easy to miss in a quick and nasty review and makes one of the few, good cases for curly brackets everywhere possible, then use vi (1) or similar to check the matching pairs.

        2. This post has been deleted by its author

    2. Anonymous Coward
    3. Anonymous Coward
      Anonymous Coward

      It also highlights the issue of a certificate checking function that does not have a default return of fail unless all necessary checks are passed in which case this would have blocked valid sites not passed invalid ones thus making the problem a bit more obvious.

  3. Daniel B.

    Good

    Wonder why it took so long to put up this fix. I'd just recompile the afflicted apps and upload that as the fix, instead of waiting to add some other fix to the release batch. Especially when SSL is the thing broken.

    1. Frankee Llonnygog

      Re: I'd just recompile the afflicted apps and upload that as the fix,

      On the other hand, users might be more comfortable with :

      Recompile the afflicted apps, TEST, and upload that as the fix,

  4. Kevin (Just Kevin)

    What about the beta

    And still no update to the 7.1beta. Still susceptible to the SSL bug.

    1. Anonymous Coward
      Anonymous Coward

      Re: What about the beta

      What about it? That's intended for developers, and they should be smart enough to know not to run beta code on their day to day phone if they're worried about stability or security.

  5. cashxx

    I don't see what the big deal was.....I just used another browser until it got fixed. They said the update was near and figured it would be this week. Whoopee!!

    If they would have rushed out a fix and screwed something up then everyone would have been complaining about that! It was put in a current about to be released update and tested and released! That simple!

    1. JC_

      I don't see what the big deal was.....I just used another browser until it got fixed.

      And that other browser on iPads & iPhones would be?

      If they would have rushed out a fix and screwed something up then everyone would have been complaining about that!

      Guess Apple needed enough time to make sure the fix compiled, maybe even get around to writing their first unit tests for their freaking Security Library.

      1. ratfox
        Boffin

        re:other browser

        There was no issue with iPads and iPhones, since they got fixed first. And Chrome and Firefox on Mac OS X use their own library, so they were safe.

      2. PJI

        re And that other browser on iPads & iPhones would be?

        Well, I've got Opera on my iPhone, always have at least two browsers on all devices. I am certain there are other possibilities.

        I suggest you learn how to run a search in the App service.

    2. depicus

      Piss poor reporting

      Indeed the reporting of this issue was so poor

      1. You would need to do a man in the middle attack first so this discounts all but public locations in reality.

      2. It was only an issue for numeric addresses not fqdn so how was this going to affect joe public as the last time I logged into my banking it never used an ip address.

      3. It was only just reported Friday and was fixed Tuesday - not sure how that is such a long time.

      1. diodesign (Written by Reg staff) Silver badge

        Re: Piss poor reporting

        "Indeed the reporting of this issue was so poor"

        Your understanding is wrong, I'm afraid.

        1. Any router between you and your website can take advantage.

        2. No, that was a curl bug unrelated to the grave SSL cert issue; all network connections boil down to IP addresses anyway.

        3. It was reported on Friday after Apple dropped a 0-day on everyone with no fix available and with no fix delivery date.

        Keep it coming. I'm loving it.

        C.

      2. Daniel B.

        Re: Piss poor reporting

        3. It was only just reported Friday and was fixed Tuesday - not sure how that is such a long time.

        They fixed it on Friday for iOS, but didn't roll out the OSX fix 'till Tuesday. That's really long given that the fix is in a library, you should be able to simply recompile the affected apps with the new library and release that. Good thing I still am on Mountain Lion...

        1. Mark 65

          Re: Piss poor reporting

          They also fixed it by mandating that all iOS users bar 3GS owners had to upgrade to the Fisher Price monstrosity that is iOS 7. No 6 fix for you.

  6. GaryDMN

    This is funny

    Has anyone come forward that was effected? Like hackers are hiding under my bed or getting access to my home network via WiFi. This is just more anti-Apple banter. How fast are flaws discovered in Android fixed, even in the most recent version? I have been using a Mac since the 1980's and have never had a virus, been hacked or lost data and I have never spent a single cent on anti-virus software.

    1. Observer1959

      Re: This is funny

      You should read the Appleinsider article on this whole sky is falling on Apple frenzy by the media. They just posted it a day or so ago and it mentions the drama headlines by the Register and many others who blindly follow. It's pathetic.

      1. ratfox

        Re: This is funny

        Well there is the fact that internal documents of the NSA reveal they found a way to get any information they wanted from iPhones about a month after this bug was introduced. If the NSA had been monitoring changes in the published code (which would be the logical thing to do for them, considering this is a security library for a large target), it is quite likely they found the bug right away and have used it ever since.

        Of course, "if you have nothing to hide, you have nothing to fear"... Right?

      2. diodesign (Written by Reg staff) Silver badge

        Re: Re: This is funny

        "it mentions the drama headlines by the Register"

        Have you got a link? I can't see it on their website. This should be fun.

        C.

    2. Anonymous Coward
      Gimp

      Re: This is funny

      @GaryDMN - "I have been using a Mac since the 1980's and have never had a virus, been hacked or lost data and I have never spent a single cent on anti-virus software."

      ==============================

      I was wondering how long it would take a fanboy to post the obligatory "I've never been hacked or whacked in 30+ years and don't believe in security measures on a Mac" post.

      No - you weren't (that you know of) - but millions of Apple users have been, and some of the consequences have been pretty disastrous. And that number probably went up substantially over the weekend. Keep drinking your own Kool-Aid though, and telling all your friends and family that "they don't need to worry about security on a Mac". Hope it works out for you.

    3. Daniel B.
      Boffin

      Re: This is funny

      I have been using a Mac since the 1980's and have never had a virus, been hacked or lost data and I have never spent a single cent on anti-virus software.

      Had you said "early 2000's" it would have been believable. I was a Mac user during the early Mac+ days, up until sometime around 1998. I came back to Mac sometime around 2012 as most of my work is now based on UNIX and Linux, thus no real need for Windows (and gah! Win8! yuk!). But there's no way you're going to hear me say Mac has never had a virus. Frickin' Symantec Antivirus was born on the Macintosh ecosystem. And yes, we did get hit by a couple of virii, in fact we got to lose a couple of HDDs thanks to them. MacOS Classic had quite a bunch of virii roaming about, it was OSX that started the virus-free claim.

      I will agree that it is at least more secure than Windows, but most UNIX/POSIX based OS can claim that feat.

  7. Sandtitz Silver badge
    Facepalm

    Never mind that SSL fix...

    [TheReg]"you'll be pleased to know, fixes the unread email count in Mail"

    Actually, Apple release notes say:"Improves the accuracy of unread counts in Mail"

    So its even closer to the actual unread count, but no guarantees yet?

    1. Mike Bell

      Re: Never mind that SSL fix...

      Well, to be very generous, it would be possible to have mail sitting on a server somewhere that you don't know about yet. That's unread mail, and if it's not counted, the count is not spot on.

    2. Ian 4

      Re: Never mind that SSL fix...

      ...Accuracy...

      My fiancee and I have been amused by the unread email count of "-3" on her S3.

  8. Bronek Kozicki
    Facepalm

    just read the code libsecurity_ssl

    .... and it's serious WTF . Original author obviously never heard of "else if" and somehow came up with the idea that label "fail:" makes perfect sense when also used for cleanup on success.

  9. Lord Elpuss Silver badge
    FAIL

    Breaks Mobility Client VPN

    I just managed to get Cisco AnyConnect Mobility Client working after my company closed off the previous VPN server (which worked perfectly).

    I installed Apple's update this morning, and lo and behold AnyConnect doesn't work any more. First I got a message saying it couldn't reach the connection server, now I get a message saying it's timed out.

    Dammit to hell and back. From home to office is a 3 hour round trip, seriously f*cks me off when one thing is 'fixed' and the fix takes something else vital out at the same time. Especially when the 'fix' promises to resolve VPN connection issues.

    1. Lord Elpuss Silver badge
      Holmes

      Re: Breaks Mobility Client VPN

      *UPDATE* Fixed it. If anybody is facing the same problems with AnyConnect Mobility Client (Corporate Intranet pages display with no CSS, Javascript won't load etc over VPN, yet load fine when connected directly to the Intranet i.e. in the office), this fix worked for me. I suspect the VPN firewall was blocking some 3rd party sites, and adding them to the Search Domains list forced the firewall to allow them.

      Check the page source in Safari of a page that won't load. You'll see any resources that won't load correctly highlighted in red at the bottom of the source viewer.

      Add these domains to the 'Search Domains' configuration pane for your VPN connection (Connections > Properties > Search Domains, then click '+'). So if the resource w3.css.subd.com/css/main.css won't load, add subd.com to the Search Domains list.

      If your VPN won't connect at all (timeout or connection manager not found error), add the Connection Manager domain directly to the Search Domains box as well. So a connection manager address of wecm.us.cisco.com means you should add cisco.com to the search domains box.

      Not sure if this last is a hack (certainly feels like it) but it works for now.

  10. Lallabalalla
    Gimp

    It seems there's no fix for my iPhone4

    as it still has iOS6 on it, and it will be sold with it on (at a premium I suspect) when the 6 comes out and I get one. (If I don't get a Galaxy 5 that is. Or a Heuwei ?!?). I have been steadfastly ignoring the iOS7 "update" since it first appeared as I have no intention of converting my perfectly serviceable phone into a laggy, power-hungry partially non-functioning brick, thank you very much.

    IMO the 4 & 4S should NEVER have been pushed iOS7. It's been written off elsewhere as a cynical ploy to get otherwise happy Apple owners to fork out for new hardware when it really wasn't needed.

    1. Lord Elpuss Silver badge

      Re: It seems there's no fix for my iPhone4

      I'm running iOS7 on my 4S with no problems; it's smoother than 6 ever was, and the battery life may actually have improved. I certainly didn't notice it falling off a cliff anyway. My girlfriend is running iOS7 on her iPhone 4 and it struggles somewhat there, although no more than the final versions of 6 did.

      If you look past the colour scheme (I like it, but opinions may vary) then iOS7 is a significant upgrade on a 4S.

      Oh, and it's unlikely you'll get a premium for having 6 on it; those who care enough about such things will generally be able to downgrade it themselves using Firmware Recovery mode.

    2. Havin_it
      Trollface

      Re: It seems there's no fix for my iPhone4

      serviceable pwnable

      You'll be sure to mention that in your "premium" eBay listing, won't you?

      1. Lord Elpuss Silver badge

        @Havin_it

        I missed the gist there - is 6 more pwnable than 7? Thought it was pretty solid...

        1. Havin_it

          @Lordy Re: @Havin_it

          My reply was to the OP (Lallathingy), that might not have been apparent as we cross-posted.

          The gist -- with the caveat that I have no idea whether s/he's correct in his/her assertions -- is that if this vuln is present on iOS 6 (as s/he seems to think is the case), then s/he is apparently content to trade security for a more likeable UX, both for him-/herself (until the iPhone 6 comes out) and for whatever poor soul then buys the by then maggot-ridden thing off him/her.

          Gad, I hate explaining my trolls.

    3. JaimieV

      Re: It seems there's no fix for my iPhone4

      I finally updated my iPhone4 from iOS6.1.3 to 7.0.6 on Monday, for the same reason that Apple are nannyingly disallowing installation of 6.1.6 on them.

      And it turns out it's faster than it was with 6 on, smoother, and less crashy. I know, surprised the hell out of me, I thought I was going to be spending the next day messing around with reinstalling 6 against Apple's wishes.

      It;s no panacea, it still has pauses on app switch/startup, but it's no slower and the transitions are less offensive than they were in 6 because 7 does more papering-over-the-cracks stuff with pictures of the last app screen and restarting apps in exactly the same place you left them.

      So, all good - for me, anyway. Except Podcasts, which is a bit less crunchy than it was in 6 but buggily doesn't think I've finished any episodes. I've replaced with PocketCasts which is a lot smoother.

This topic is closed for new posts.

Other stories you might like