Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple SSL Bug In iOS Also Affects OS X

Posted by timothy on from the sympathetic-reaction dept.

Trailrunner7 writes "The certificate-validation vulnerability that Apple patched in iOS yesterday also affects Mac OS X up to 10.9.1, the current version. Several security researchers analyzed the patch and looked at the code in question in OS X and found that the same error exists there as in iOS. Researcher Adam Langley did an analysis of the vulnerable code in OS X and said that the issue lies in the way that the code handles a pair of failures in a row. The bug affects the signature verification process in such a way that a server could send a valid certificate chain to the client and not have to sign the handshake at all, Langley found. Some users are reporting that Apple is rolling out a patch for his vulnerability in OS X, but it has not shown up for all users as yet. Langley has published a test site that will show OS X users whether their machines are vulnerable."

2 of 140 comments (clear)

  1. Informative discussion thread by MisterSquid · · Score: 5, Informative
    Over at MetaFilter, there's a pretty informative thread calling out these parts among others.
    • iOS 6 users with iOS 7-capable devices will be given the latest iOS 7.
    • iOS 6 users without iOS 7-capable devices will be given the latest iOS 6
    • Mac OS X users pre-Mavericks (10.9) are OK.
    • Mac OS X Mavericks users should avoid using Safari.
    • You can visit this link to see if your device/browser is affected.
    --
    blog
  2. Re:NSA by 93+Escort+Wagon · · Score: 5, Insightful

    This is a fundamental problem all the traitorous NSA behavior has created - every time something like this comes up, we're going to wonder if THEY are behind it. Problem is, that way lies madness... we can never really know.

    1) It could very well be an innocent coding error. Heck, I could see myself doing this one with the slip of the fingers in BBEdit. I probably HAVE done it at some point in time.

    2) It could be an intentional bug slipped in by someone on NSA's payroll.

    3) Or, it could be even more nefarious. Perhaps NSA has known about this, but thought the use case was too restricting. So they kept quiet until they were able to slip a more broadly exploitable hole in the development code (or, alternatively, something the compiler can slip into your output). Then, to force everyone to update, they reveal this older bug. We all update, and BAM! They've got us.

    We can't really know, anymore.

    --
    #DeleteChrome