Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple's iOS 9 Breaks VPNs

Posted by timothy on from the but-I-love-my-central-posterior-nucleus dept.

An anonymous reader writes with a report from The Stack that researchers have discovered a crucial security problem in the latest version of iOS 9: it breaks VPN connections to corporate servers. According to the linked piece, "The flaw was first detected in the iOS 9 beta, and has not been fixed in the released version. Neither has the bug been removed in the current iOS 9.1 beta." The workaround might not be what you want to hear, either, if you've happily upgraded to the latest version: it's to downgrade to iOS 8.4.1.

9 of 88 comments (clear)

  1. Good for the minnions by Anonymous Coward · · Score: 3, Funny

    All the C-levels will be disconnected so we can get work done.

    And here I thought Apple was a true business player.

    1. Re:Good for the minnions by MouseR · · Score: 5, Informative

      We're using Cisco's VPNs at the office and I've not observed it to be broken under iOS 9. Ditto for a colleague of mine.

    2. Re:Good for the minnions by zlives · · Score: 5, Informative

      FTA "Most notable is that when doing split tunneling, the Tunnel All DNS option no longer functions as expected."

      your setup maybe using public dns or published apps like Citrix.

  2. Source control? by mccalli · · Score: 4, Insightful

    What bothers me most about things like this is trying to relate it back to what is supposed to have changed in the latest versions. I can't think of anything in iOS 9 that should have touched code like this, which makes me wonder about the state of source control.

    Happy to be wrong, but Apple have had a few regression-type bugs before which again make me think their branching/merging strategies may not quite be up to snuff. Would like to be wrong though - anyone know of a changed area in iOS 9 that would have necessitated playing with something like this?

    1. Re:Source control? by fuzzyfuzzyfungus · · Score: 5, Insightful

      Even if they had good reason to poke at this, or rewrite it from the ground up(because discoveryd was totally cooler and better than old-and-busted mdnsresponder, so why stop there?) what possible excuse is there for "This update breaks VPNs" to not be treated as an absolute showstopper? That's the sort of attitude that just doesn't cut it outside the realm of pitiful consumer crap.

    2. Re: Source control? by Ravaldy · · Score: 4, Funny

      Please send your resume to me. We need a few d*ck heads that lack the ability to be constructive in their comments.

    3. Re:Source control? by CastrTroy · · Score: 4, Insightful

      what possible excuse is there for "This update breaks VPNs" to not be treated as an absolute showstopper

      This is what happens when you try to make a software update part of a hardware roll-out. They have hardware that they want to ship at a specific date, but haven't had any chance to get the software tested out in a while. They basically had to release iOS 9 even though they knew there was bugs because it was necessary for the new iPad and iPhone models.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  3. Re:Of course Apple wants into enterprise though? by Ayanami_R · · Score: 4, Interesting

    They have a LOT to do. We have had to switch our clients over to a chip and pin AD login from a regular local account. There is no easy way to do this, We can't apply the new security to the old accounts directly, or so I am told, so we have had to make another account and then "port" the old account data into the new one. Time machine broken, because it is protected by UID, no matching UID no backup, period. Keychain wonkiness, everything you know can go wrong with a keychain, has. Dropbox broken, easily fixed, but still... The best part, when 10.11 comes out no one can update because it will break al the chip and pin stuff and users won't be able to login. We have had to send 2 FAQ's on dealing with the asininity of all of this, and we are still stumbling across issues. One of my co-workers is tasked with something to do with programmers and root, that does not like these new accounts. No, I am not helping with that crap. BTW, when this happened with windows, they just pushed a package that did all the wizardry, which was simply installing a card reader driver, and a script that made sure that if there was a matching local account UID that it inherited that account.

    That brings me to the next issue, patch management, or rather the lack of it. When 10.11 comes out we have to hope everyone listens, because otherwise we're playing fun account movement games after downgrading them back to 10.10. users cannot install printers now, we have people bringing their printers in to work, so that we can install them. We have to patch everyone manually as there is no way to manage them with what we have.

    IT has been an absolute mess, and the boss, who is normally ok with letting a small thing slide without a ticket, is demanding that every interaction related to this, even 15 seconds, have a ticket so that he can show the massive time costs of this nonsense.

    --
    "Science is the power of man"
  4. Split Tunneling? by mveloso · · Score: 4, Insightful

    Problem is DNS during split tunneling, which isn't the same as "breaks VPN."

    I guess the editors are either click-baiting, are technically illiterate, or both.