Apple Fixes Major SSL Bug In OS X, iOS

Trailrunner7 writes: "Apple has fixed a serious security flaw present in many versions of both iOS and OS X and could allow an attacker to intercept data on SSL connections. The bug is one of many the company fixed Tuesday in its two main operating systems, and several of the other vulnerabilities have serious consequences as well, including the ability to bypass memory protections and run arbitrary code. The most severe of the vulnerabilities patched in iOS 7.1.1 and OSX Mountain Lion and Mavericks is an issue with the secure transport component of the operating systems. If an attacker was in a man-in-the-middle position on a user's network, he might be able to intercept supposedly secure traffic or change the connection's properties."

Also fixed in Lion

[Valdrax]

Also fixed in Lion, according to the link, for those of us still using older Macs.

Re:Also fixed in Lion

[ArcadeMan]

What about iOS 6? There's still a lot of older iPhones out there.

Not a open source issue.

Tell me again how this whole issue with SSL is due to the nature of open source and how it's only the commie OpenSSL which can't be trusted...

Seems to me Apple's got a bit of a quality control issue itself.

What's Apple's excuse ?

Re:Not a open source issue.

[x0ra]

'apple' is smart enough not to give the issue a sexy name as "heartbleed", and thus it will go unnoticed among non tech people...

Re:Not a open source issue.

[omnichad]

But the bug probably is heartbleed. They're just not disclosing that they were affected.

Re:Not a open source issue.

[buchner.johannes]

It's a MITM attack. Heartbleed is not MITM.

Re:Not a open source issue.

[David+Jao]

Clients are also affected. https://www.schneier.com/blog/...

Re:Not a open source issue.

[jeremyp]

Only _servers_ were affected by the "heartbleed" bug.

Wrong.

Snow Leopard

I have a perfectly good MBP of early 2007 vintage running Snow Leopard which can't be upgraded, and it still does the job I need of it today. I can't bring myself to 'upgrade' to the modern MBP's as I hate the chicklet keyboard, so I'm swinging back to windows laptops (linux+windows) to avoid Apple abandonware in the future.
For all the criticism Microsoft gets, at least they don't abandon semi-old stuff.

Re:Snow Leopard

[jo_ham]

An "early 2007 vintage" MBP can run Lion.

If your machine is stuck on 10.6 then it's not "early 2007" but "early 2006".

The youngest macbook pro that can't run anything later than 10.6 is the Early 2006 with the Core Duo CPU and 2GB RAM.

Yeah, really "abandonware" there. *eyeroll*

Re:Snow Leopard

[Cyrano+de+Maniac]

If I upgrade to 2G of RAM, it looks like I can upgrade to Lion, but not Mountain Lion. I was going to upgrade the RAM anyway because it seems to run a bit sluggish, but the Mini maxes out at 2G, which is the lower limit of Lion. So it may be a wash, performance-wise.

No, it will be a huge step backwards. Do not, under any circumstance, install Lion if you can possibly avoid it. Not only is 2GB not enough to run Lion in any reasonable manner, but even if you have more RAM than that, Lion is a molasses sucking pig. The last OS for any hardware I used that was that bad and that much of a step backwards from what came before it was... umm... Wow, can't think of one. Lion wins. Or, actually, loses.

Installing it was the worst single decision I've made regarding Apple software on my early 2008 MacBook Pro. I even did a clean install from official Apple USB media (i.e. the USB fob you had to pay extra for instead of just downloading it) and upgraded RAM to 4GB on account of Lion. Take it from myself and several of my coworkers who regretted every getting within 100 feet of Lion that it is best avoided. Mountain Lion didn't suck, but only by comparison to Lion. Mavericks is a little bit better yet, but still not nearly as snappy as Snow Leopard.

My gut reaction: Don't worry about Snow Leopard being out of date, even security-wise. A man-in-the-middle is rare in most environments, and Snow Leopard is already quickly diminishing in market share, so it's not terribly likely to be widely exploited. Compared to the every day pain you'll cause yourself by installing Lion or later, the tiny risk profile of running a vulnerable Snow Leopard is worth it, in my opinion.

Re:Snow Leopard

[dk20]

It is funny how words like "ancient" are thrown around in discussions like this.

Here's an interesting point similar to what someone posted down below.
In my basement I have a SUN X4500 Storage server (circa 2007) and it is currently running Solaris 11.1 without issues. The system has two "ancient" AMD Opteron's but since little has changed in terms of processor instruction sets they run fine.
So this is a system from 2007 running an OS released in 2011 and supported until 2024. Heck, I might upgrade to 11.2 when it is released in the next month or so.

Artificially preventing you from upgrading in this case seems more like a means to sell hardware then to "protect the user experience".

He has a 2008 mac mini, lets assume the mid 2007 model with a T7200 Intel Core 2 Duo whereas the 2009 mini uses 2.53 GHz (P8700) Intel Core 2 Duo

Go to any benchmark sites and do a comparison of those processors, they are pretty close yet one supports Mavericks, the other tops out at lion?