Apple Fixes Major SSL Bug In OS X, iOS

Trailrunner7 writes: "Apple has fixed a serious security flaw present in many versions of both iOS and OS X and could allow an attacker to intercept data on SSL connections. The bug is one of many the company fixed Tuesday in its two main operating systems, and several of the other vulnerabilities have serious consequences as well, including the ability to bypass memory protections and run arbitrary code. The most severe of the vulnerabilities patched in iOS 7.1.1 and OSX Mountain Lion and Mavericks is an issue with the secure transport component of the operating systems. If an attacker was in a man-in-the-middle position on a user's network, he might be able to intercept supposedly secure traffic or change the connection's properties."

Also fixed in Lion

[Valdrax]

Also fixed in Lion, according to the link, for those of us still using older Macs.

Re:Also fixed in Lion

[ArcadeMan]

What about iOS 6? There's still a lot of older iPhones out there.

Re:Also fixed in Lion

[dimeglio]

Good point. According to the FA, it looks like it affects iOS 7.1 and earlier. A good excuse to upgrade your iDevice. I don't expect Apple to patch unsupported hardware but if people complain, they might get it done.

Re:Also fixed in Lion

[ArcadeMan]

iOS6 did receive a patch about another SSL vulnerability a few months back, I think.

What I'm hoping for is for Apple to enable FaceTime Audio for the iPhone 3G and iPhone 3GS. All this talk about Earth Day is nice, but what's really helpful for users and the environment is to use older devices longer before recycling them.

Re:Also fixed in Lion

[sconeu]

Only for older iPods/iPhones. If your device is capable of running 7, you will not have the 6.x upgrade available.

Not a open source issue.

Tell me again how this whole issue with SSL is due to the nature of open source and how it's only the commie OpenSSL which can't be trusted...

Seems to me Apple's got a bit of a quality control issue itself.

What's Apple's excuse ?

Re:Not a open source issue.

[x0ra]

'apple' is smart enough not to give the issue a sexy name as "heartbleed", and thus it will go unnoticed among non tech people...

Re:Not a open source issue.

[omnichad]

But the bug probably is heartbleed. They're just not disclosing that they were affected.

Re:Not a open source issue.

[buchner.johannes]

It's a MITM attack. Heartbleed is not MITM.

Re:Not a open source issue.

[MikeMo]

It is not related to Heartbleed.

Re:Not a open source issue.

[gnasher719]

But the bug probably is heartbleed. They're just not disclosing that they were affected.

What do you mean by "they were affected"? Only _servers_ were affected by the "heartbleed" bug. Apple was lucky enough that its major services (App Store, iTunes, iCloud) didn't use OpenSSL.

Re:Not a open source issue.

[jo_ham]

Tell me again how this whole issue with SSL is due to the nature of open source and how it's only the commie OpenSSL which can't be trusted...

Seems to me Apple's got a bit of a quality control issue itself.

What's Apple's excuse ?

Apple's SSL implementation is also open source.

Oh, sorry, I interrupted you in the middle of an uninformed Apple bash. Do carry on. My apologies.

Their excuse is "open source means lots of eyes!" No wait, it's "whatever we do we'll be attacked, so we just dropped the ball and said 'fuck it'".

Re:Not a open source issue.

[jo_ham]

You know, information like that should really be in the article.

Oh wait.

Re:Not a open source issue.

[Anubis+IV]

How do you figure? This bug is specific to MITM attacks from an attacker on one's on network, has nothing to do with the heartbeat functionality that Heartbleed relied on, and the nature of the attack is that the attacker can execute arbitrary code, change the properties of the connection, or get data traveling over the network, rather than merely being able to access random 64K bits from memory. This is something wholly separate from Heartbleed, and likely ties back in with the ongoing security audit they've been rumored to be doing after finding themselves on the NSA's PRISM list.

Not all network security bugs happening in the same temporal proximity as Heartbleed are Heartbleed. It's not uncommon for Microsoft, Apple, and the various Linux distros/their dependencies to push out updates of this sort. It's just getting more attention right now because of Heartbleed. But suggesting that this "bug probably is Heartbleed" indicates that you really don't have a good grasp of what Heartbleed is even about, since it bears very little resemblance.

Re:Not a open source issue.

[Espectr0]

decided posting instead of modding you down, since you may not know that Apple does not use OpenSSL, therefore you are just wrong.

Re:Not a open source issue.

[Cinder6]

Not sure it's luck, since Apple went out of its way to replace OpenSSL in 2011 because they didn't think it was secure enough. (Granted, their own replacement wasn't perfect, either, as seen by both this and the "goto fail" bug.)

Re:Not a open source issue.

[David+Jao]

Clients are also affected. https://www.schneier.com/blog/...

Re:Not a open source issue.

[jeremyp]

Only _servers_ were affected by the "heartbleed" bug.

Wrong.

Snow Leopard

I have a perfectly good MBP of early 2007 vintage running Snow Leopard which can't be upgraded, and it still does the job I need of it today. I can't bring myself to 'upgrade' to the modern MBP's as I hate the chicklet keyboard, so I'm swinging back to windows laptops (linux+windows) to avoid Apple abandonware in the future.
For all the criticism Microsoft gets, at least they don't abandon semi-old stuff.

Re:Snow Leopard

[mk1004]

No, I've got a 2008 Mac Mini that was updated to Snow Leopard, and I haven't seen any updates for awhile. Newegg also wouldn't let me order using the Mini because of the older version of Safari that runs on SL.

If I upgrade to 2G of RAM, it looks like I can upgrade to Lion, but not Mountain Lion. I was going to upgrade the RAM anyway because it seems to run a bit sluggish, but the Mini maxes out at 2G, which is the lower limit of Lion. So it may be a wash, performance-wise.

Re:Snow Leopard

[LDAPMAN]

So you have a six year old machine that was the lowest specs you could buy at that time. Your surprised you can't run the latest and greatest???

Re:Snow Leopard

[dk20]

You know a lot of times those limits are artificial right? People have figured out how to trick mavericks into installing on "unapproved" systems.

Re:Snow Leopard

[koan]

Install Linux or Windows.

Re:Snow Leopard

[PlusFiveTroll]

Windows Vista still receives security patches, which was released in 2007. Most computers of that age will install W7 fine, though you might want to bump the RAM if you want it to be enjoyable. XP was supported with patches for over a decade. Apple locks you into expensiev hardware and wants you to buy new every few years,

Re:Snow Leopard

[jo_ham]

An "early 2007 vintage" MBP can run Lion.

If your machine is stuck on 10.6 then it's not "early 2007" but "early 2006".

The youngest macbook pro that can't run anything later than 10.6 is the Early 2006 with the Core Duo CPU and 2GB RAM.

Yeah, really "abandonware" there. *eyeroll*

Re:Snow Leopard

[LDAPMAN]

Depends on what you mean by "artificial". If it runs like molasses on less than 2GB or RAM and an ancient processor then limiting it to newer hardware is a reasonable choice.

Re:Snow Leopard

[Guest316]

Why not? I can run the latest Solaris on 12 year old Ultras, and if I had an early '90s Vax I believe I could still run the latest VMS version.

Re:Snow Leopard

[Cyrano+de+Maniac]

If I upgrade to 2G of RAM, it looks like I can upgrade to Lion, but not Mountain Lion. I was going to upgrade the RAM anyway because it seems to run a bit sluggish, but the Mini maxes out at 2G, which is the lower limit of Lion. So it may be a wash, performance-wise.

No, it will be a huge step backwards. Do not, under any circumstance, install Lion if you can possibly avoid it. Not only is 2GB not enough to run Lion in any reasonable manner, but even if you have more RAM than that, Lion is a molasses sucking pig. The last OS for any hardware I used that was that bad and that much of a step backwards from what came before it was... umm... Wow, can't think of one. Lion wins. Or, actually, loses.

Installing it was the worst single decision I've made regarding Apple software on my early 2008 MacBook Pro. I even did a clean install from official Apple USB media (i.e. the USB fob you had to pay extra for instead of just downloading it) and upgraded RAM to 4GB on account of Lion. Take it from myself and several of my coworkers who regretted every getting within 100 feet of Lion that it is best avoided. Mountain Lion didn't suck, but only by comparison to Lion. Mavericks is a little bit better yet, but still not nearly as snappy as Snow Leopard.

My gut reaction: Don't worry about Snow Leopard being out of date, even security-wise. A man-in-the-middle is rare in most environments, and Snow Leopard is already quickly diminishing in market share, so it's not terribly likely to be widely exploited. Compared to the every day pain you'll cause yourself by installing Lion or later, the tiny risk profile of running a vulnerable Snow Leopard is worth it, in my opinion.

Re:Snow Leopard

[dk20]

It is funny how words like "ancient" are thrown around in discussions like this.

Here's an interesting point similar to what someone posted down below.
In my basement I have a SUN X4500 Storage server (circa 2007) and it is currently running Solaris 11.1 without issues. The system has two "ancient" AMD Opteron's but since little has changed in terms of processor instruction sets they run fine.
So this is a system from 2007 running an OS released in 2011 and supported until 2024. Heck, I might upgrade to 11.2 when it is released in the next month or so.

Artificially preventing you from upgrading in this case seems more like a means to sell hardware then to "protect the user experience".

He has a 2008 mac mini, lets assume the mid 2007 model with a T7200 Intel Core 2 Duo whereas the 2009 mini uses 2.53 GHz (P8700) Intel Core 2 Duo

Go to any benchmark sites and do a comparison of those processors, they are pretty close yet one supports Mavericks, the other tops out at lion?

Re:Snow Leopard

[chuckugly]

To be fair, that's a 7yo computer... What's the rightlifetime so an os doesn't count as abandon ware? They still do snow leopard updates I think.

Do we apply that same logic to Windows XP?

Re:Snow Leopard

[LDAPMAN]

Unless it's slightly earlier than he thinks and is a Core Duo instead of a Core 2 Duo. Then there is the RAM requirement. Comparing support lifetime for a server OS and Hardware to a Mac Mini running a desktop OS is ridiculous.

Re:Snow Leopard

[dk20]

According to Apple's website 2GB is the minimum for Maverics: http://support.apple.com/kb/ht...

They also say a 2009 or later mini, does the small difference in processing powre really make a difference then?

Re:Snow Leopard

[LDAPMAN]

It's not just processing power. Some of the earlier processors are not fully 64bit and some have limitations on the memory they can address.

Re:Snow Leopard

[guruevi]

There is no such thing as a 2008 Mac Mini, you probably got a Mid 2007 Mac Mini which runs up to Mac OS X 10.7.5 which is still supported and can actually take up to 3GB of memory (2GB was the maximum configuration by Apple).

If you want to, you can install Linux on the machine. I don't know why NewEgg would crap out on the browser because that Safari supports common versions of ECMAScript and HTML5, try Firefox otherwise.

Re:Snow Leopard

[LDAPMAN]

And Windows 7 was released when??? Mavericks was released a few months ago. The versions of OS X that were released around that time are still receiving security updates too and will still run fine on six year old hardware. The issue here is Mavericks is 64bit only and it makes some assumptions on the hardware. Nothing different here. Would you rather they did what MS did with Windows 8 and certify hardware they knew would run like crap?

Re:Snow Leopard

[Cinder6]

Everyone has different experiences. I never had problems with Lion (mid-2011 MBA), but I saw enough people complaining that I won't doubt you. On the other hand, I could never go back to Snow Leopard after Mountain Lion, and especially not after Mavericks.

Re:Snow Leopard

[Lakitu]

Looks like it's the opposite to me. He's complaining that he's forced to purchase upgrades to the latest and greatest major versions of his OS, and purchase hardware that it says it will run on, just for a security patch.

Re:Snow Leopard

[LynnwoodRooster]

Oh, I don't know... Maybe 12 years or so?

Re:Snow Leopard

[Kremmy]

We hit a level of computing power in 2006 that makes it so computers that old are still very likely to run most things just fine. Throw Windows 7 on anything that was honestly Vista Capable and you're good to go. Hey, that ought to include those Macs...

Re:Snow Leopard

[Lord_Jeremy]

No, you don't have a 2008 Mac Mini. There is no such thing as a 2008-year-model Mac Mini (source). The Mid 2007 model runs 10.7. The Early 2009 model runs 10.9. The 2007 can't run anything beyond than 10.7 natively because 10.8 and newer require a 64-bit EFI firmware. This is due to the newer version always booting the kernel in 64-bit mode. Some older Macs that had 64-bit CPUs, such as your Mini and a couple gens of Mac Pros still had 32-bit EFIs. You *could* run Mountain Lion or Mavericks by using a 3rd-party boot loader (such as Chameleon) that translates the 64-bit EFI calls to 32-bit. I'm actually doing that myself on an older Mac Pro. Of course then you'll discover that the video drivers for you Mini are only compiled for 32-bit in older systems and are totally absent from newer OS X versions. At a certain point, Apple (very reasonably) decided that maintaining two architectures of OS X and all included software, as well as implicitly requiring other developers to do the same was not worth support Macs beyond six years old.

Re:Snow Leopard

[supercrisp]

I upgraded to Mavericks from Snow Leopard because a lot of my mainline apps were only getting Mavericks-compatible updates. The best thing I can say about Mavericks is that it doesn't suck as much as I expected. I'm not noticing a slowdown, but I moved to an SSD for the OS drive at the same time, and I'm on an '09 MacBook Pro with 8GB of RAM, so those things may be concealing an OS-related slowdown. At any rate, I'd say that you shouldn't make the move to Mavericks if you don't have to, especially if you have an older machine. It's mostly just a bunch of stupid eye-candy. Yes, I know: App Nap!* Memory efficiency! Battery efficiency! But my battery use was already fine, RAM is often dirt cheap, and App Nap's main function on my machine is to pop up the rainbow pinwheel when I'm in a hurry.

Re:Snow Leopard

[AmiMoJo]

Lion doesn't have any PPC support, so might not be an option. Even if it is Lion runs very poorly on machines of that age, so would be a massive downgrade in terms of performance and productivity.

Remember all the stick Microsoft got about "Vista compatible" machines that ran it like a dog? "Possible" and "advisable" or "practical" are different things.

Re:Snow Leopard

[Gr8Apes]

Yes, everything prior to the Santa Rosa machines circa 2009 I believe have essentially a hamstrung memory controller. Intel wasn't fully into the game yet, still playing catchup to AMD. I have a pre Santa Rosa MBP running SL still, because Lion/ML really aren't stable enough to warrant an upgrade. Yes, I have(had) machines running every thing from panther on up to mavericks, and Grand Central, while a great idea, was a massive architectural change that caused quite a few instabilities in the OS. Mavericks seems to be about as stable as Leopard, which isn't terrible, but even it isn't yet quite at the SL level yet.

Re:Snow Leopard

[Gr8Apes]

I was pretty sure that Vista was EOL'd already. W7 is scheduled for next year. Win8 is ended this year, all of course as far as "free" patches go.

Snow Leopard was still getting patches until Mar 2014. As for it being on sale, it's only there as a gateway for pre- Snow Leopard systems to get to Mavericks, however small that number may be. It's also a way to run PPC software on newer macs via Parallels or the like. Yes you can run that (accidentally) free copy of Adobe PS 2 you downloaded.

Re:Snow Leopard

[Gr8Apes]

Except the version of the OS on his machine isn't affected by that bug...

Re:Snow Leopard

[Gr8Apes]

On the other hand, I could never go back to Snow Leopard after Mountain Lion, and especially not after Mavericks.

Why? (I'm honestly curious)

Note: I'm running SL, ML, and Mavericks, and I have to say, SL is the most stable, followed by Mavericks, ML is "ok", and my brief experience with Lion was only because ML came out and I decided to jump directly to it even though I had had a Lion disk for a year. (Yes, the "bad" stories made me hold off long enough for the "fix" to come out.)

I'm still not 100% happy with the effects of Grand Central, only because the stability has not been returned to SL standards. However, Mavericks is quite usable. The occasional "crash" is mediated by a 500+MB/s SSD, so restarts are sub 15s and used to occur maybe once every 30-45 days. The 10.9.1 patch has actually allowed me to reboot for reasons other than a crash. Oh, and I should mention that these crashes do not come with a dump, just blammo - restart. That never happened in SL, at least you got the infamous crash screen, if you ever had a crash that is. (You will occasionally if you're running a slew of PPC software)

All that said, for me, the main benefit of Grand Central is better handling of messaging and performance for applications that have the ability to be run in parallel. This is a major plus. I have barely changed my interface habits since panther, primarily because I use QuickSilver for launching apps and Cmd[-SHFT]-Tab and Cmd[-SHFT]-` to navigate apps and windows within an app. So all the Launchpad, Mission Control, Expose, Dashboard, Dockbar etc garbage don't even figure in my daily computer use. I minimize and hide the dockbar right after installing QuickSilver, and pretty much never see it again.

Re:Snow Leopard

[strikethree]

My Macbook Pro is from mid 2010. I stopped "upgrading" at Snow Leopard because that is when OS X went off the deep end. Snow Leopard itself actually annoys me with the "integrated app store" bullshit. I wanted a Unix based laptop with a semi-reasonable GUI and all I would have if I upgraded to the latest is an ugly IOS device doing everything it can to get me to buy shit.

Re:Snow Leopard

[Gr8Apes]

So the hackintosh community benefits us again. I'll have to see about the video drivers for my MBP. If they're available in 10.9, I'll upgrade it someday. For now, it's fine on SL.

Re:Snow Leopard

[mk1004]

You're right; it's a 2007 model purchased in 2008. The point is, it can't run anything beyond 10.7 (without limited workarounds), and 10.6 is not getting any updates. My point was that Snow Leopard isn't getting any updates, and older hardware is limited as to what you can upgrade to.

It seems to be a shame that hardware that can last for 6+ years has to be abandoned because the OS is no longer supported.

Re:Snow Leopard

[jo_ham]

That's true - if you need Rosetta support, you are stuck on 10.6. Most apps have x86-native binaries by now, but not all, especially if you have older, unsupported software. I guess for many people this will be Adobe CS1.

Not related to hearthblled

Impact: An attacker with a privileged network position may capture
data or change the operations performed in sessions protected by SSL
Description: In a 'triple handshake' attack, it was possible for an
attacker to establish two connections which had the same encryption
keys and handshake, insert the attacker's data in one connection, and
renegotiate so that the connections may be forwarded to each other.
To prevent attacks based on this scenario, Secure Transport was
changed so that, by default, a renegotiation must present the same
server certificate as was presented in the original connection.

Re:Anyone having trouble with connecting today?

[Kazoo+the+Clown]

Yes, I've been having a lot of trouble getting slashdot to load as well. Some browsers seem to be doing better than others. On an iPad.

Re:Ability to run arbitrary code.

[am+2k]

Executing arbitrary code is how the jailbreaks work. They exploit some weakness to patch the system, removing a few safeguards in the process (that's why there are some viruses out there that only affect jailbroken iOS devices).

VAX/VMS supported into late 1990s

[erikscott]

Sadly, VMS support for VAX ended around 7.1 or 7.3 or something - it was in the late nineties. But every alpha ever made (at least "that ever ran VMS in the first place") can run the latest version.

All UltraSPARCS can run solaris 10.X. Hardware from this millenium is required for Solaris 11.X (more or less). Pre-Ultra machines are kind of limited - A microsparc machine (sparcStation 5 and similar) is supported on 2.9, but unless you max out the RAM you're better off at 2.8. Sparcs with VME busses (4/110, 4/280, etc) are stuck further back - maybe Solaris 2.4, but I'm not sure. These are better off running OpenBSD anyway. :-)

Yeah, I get a laugh out of what constitutes "support" these days. :-)

Re:They.

[flyingfsck]

Most Amerikins do not realize that the gender neutral form is 'one', as in anyone, no-one, someone, or 'body', as in somebody, anybody and nobody. If everyone would realize that one could use one instead of he, she or it, then the gender issue in politically correct speak would largely go away.

Re:Marketshare?

[Kalriath]

Irrelevant, since the issue is the client implementation.

Re:They.

Most Amerikins do not realize that the gender neutral form is 'one', as in anyone, no-one, someone, or 'body', as in somebody, anybody and nobody. If everyone would realize that one could use one instead of he, she or it, then the gender issue in politically correct speak would largely go away.

The use of "one" when attempting to be PC regarding gender is offensive to conjoined twins. Especially conjoined fraternal twins and conjoined identical twins where one twin is transgendered.

Errr...

[porkchop_d_clown]

Heartbleed affects clients, too. Android phones running 4.1.1, for example. http://www.bloomberg.com/news/...

Let me know how it goes

[porkchop_d_clown]

when you try to put windows 8.1 on a 7 year old computer.

Re:Marketshare?

[Kalriath]

Because OSX uses Apple's SSL implementation?

Re:Marketshare?

[Kalriath]

No, it's irrelevant. Noone uses OS X server in a datacenter as their client PC. The web server that OS X uses in the server context is Apache - so... OpenSSL.