
Apple promises fix 'very soon' for Macs with failed encryption - Varcht
http://www.reuters.com/article/technologyNews/idUSBREA1L10220140222
======
gommm
It was completely irresponsible not to release the OS X fix at the same time
as the ios fix. Apple also needs to setup a way to alert users when an update
fixes an important security fix.

None of my ios devices asked to install the fix and I had to do a manual
update check. This should not happen for major security issues.

~~~
0x0
Also, the ios over-the-air update refused to download over 3g even though it
was only 10mb. I couldn't even manually update until I got back home much
later :-/

(Last time I tethered to a friend's android phone!)

~~~
Geee
This is the stupidest limitation of iOS. Why I can't update or download big
apps on 3G? I just don't get it.

~~~
drawkbox
Blame limitations to wireless air delivery on telcos. They have it at 100MB
now limit but before it was 50MB and before that it was 20MB. They telcos
prevented files/apps over that size from being transmitted over their wireless
networks.

~~~
0x0
Yep, but Apple really should have increased the limit for updates to match the
limit for app sizes. It's pretty ridiculous that you can download as many 99mb
app installs and updates as you want, but be denied a 10mb critical security
patch over 3g.

------
chmars
It should be a given that Apple provides a fix for OS X as soon as possible.
On the other hand, it is telling that Apple gave priority to iOS.

(Although priority is relative even for iOS. We have many iOS devices in the
family and not a single one had asked to install the fix until yesterday
evening. The fix, however, was available after a manually initiated update
check.)

~~~
threeseed
> On the other hand, it is telling that Apple gave priority to iOS.

Maybe not. It could just be that OSX has a higher testing effort. There is a
bigger spread of versions across the OSX platform than iOS. And also Apple
does have quite a few hardware specific builds of OSX they need to test.

Still completely unacceptable though.

~~~
d0
I find this hard to believe. After using 10.8 and 10.9 over the last year, the
sheer number of bugs is embarrassingly high. Every day, something was breaking
for me. They have a serious QA problem i.e. they're either doing it wrong or
not at all.

------
cies
C'mon Apple.. This is (as far as i understand) a one-liner fix! In opensource
land this would be fixed and packag-manager-updatable in less then 24hrs.
Probably less then 6.

The fact that it takes sooo long, and that the fix will be bundled in a blob
with all sorts of other "fixes" gives me the feeling that one attack-vector
cannot be closed until another is available. I got this feeling years back
when a huge back-door-enabling was not closed for months until big fat service
pack was issued that "fixed" it (amongst fixing a million+1 other things;
probably opening the next attack-vector).

Call me paranoid.

~~~
metric10
Consider that this fix doesn't just remove the goto, it enables code that
previously wasn't being run or tested. They need to verify that it works and
doesn't segfault, otherwise important services (like the update system itself)
could end up being broken. This includes testing on all Macs that can run
Mavericks, which is a larger and more complex set of hardware then iOS.

~~~
lucian1900
I still don't see how that's an excuse. Better to break everyone's TLS
connections than leave them vulnerable.

The risk isn't that high either, anyway.

~~~
demallien
I'm not 100% sure, but I think that the Mac update system actually uses this
code - if it starts failing they can't send out any more signed updates to
people. Far better to wait one or two days more to make sure that you're not
about to break some of the more important functionality in the OS, I would
think.

------
mistercow
Wasn't the fix for this to delete a duplicated line of code? How is that a
"very soon" fix and not a "yesterday" fix?

~~~
typicalbender
As metric10 mentioned, that even a one line change can cause failure somewhere
else in the system and they have to be confident that the new code that is
being executed that wasn't before actually works before release it out to the
general public where it could cause more harm. The fix may be simple but the
cascading effects from the fix need to be well understood before releasing.

------
lotsofmangos
So, how do we trust this update given a) we don't know for sure that the
original bug was an honest mistake, and b) the encryption checking mechanism
is blown so the update to fix the bug can be hijacked.

------
thelogos
The fallout from this will last for a while. Most normal people are not aware
of these security issues and many of them rarely install updates.

~~~
k-mcgrady
>> "many of them rarely install updates."

Not true, at least on iOS. iOS 7 is on over 80% of devices less than 6 months
after launch.

~~~
Pacabel
But that remaining 20% or so still includes millions of devices and people who
are affected.

~~~
joev_
Absolutely true, but compared to android this is a rather good percentage.

------
higherpurpose
I was just reading through Adam Langley's description of the bug and this
jumped out at me:

> The code will always jump to the end from that second goto, err will contain
> a successful value because the SHA1 update operation was successful and so
> the signature verification will never fail.

Wait, Apple still uses SHA1? Are they aware it's banned from use (by NIST, no
less) starting with this year?

[http://www.zdnet.com/nist-makes-a-hash-of-
sha-1-ban-70000259...](http://www.zdnet.com/nist-makes-a-hash-of-
sha-1-ban-7000025980/)

Maybe they'd want to take this opportunity to fix that, too...

~~~
praseodym
If a certificate uses SHA1, Apple (or any other vendor) can't help but use
that for verification…

~~~
RexRollman
They can't refuse to use it? It seems to me that SHA1 should be depracated.

~~~
stephen_g
I don't think you understand what the code is doing.

This is _verifying_ certificates for HTTPS connections - not creating them. If
they removed the SHA1 verification, you can no longer visit hundreds of
millions of sites that haven't updated their certificates yet.

It's the people still using certificates with SHA1 hashes that need to
upgrade.

~~~
RexRollman
But if browser makers decided not to support the hashes, the website owners
would _have_ to upgrade. Why allow them to continue to use weak hashes?

~~~
lawnchair_larry
Because there isn't an attack that affects them.

------
wreegab
> "I believe that it's just a mistake and I feel very bad for whomever might
> have slipped"

There has been such a rush from many places to cast this as a "mistake". We
just don't know whether this was deliberate or a mistake, anything else is
just an opinion. I don't see one explanation being less likely than the other,
it's annoying to see one explanation being pushed more than the other.

~~~
dmur
Is it _possible_ that this bug was deliberately planted? Sure. Is it _equally
likely_ that this bug was deliberately planted as it is that the bug was a
mistake? I say no, Occam's razor being the main reason for making that
distinction.

~~~
sitkack
Occams's razor is a pithy statement, not a fact, not proven theory. Pithy
statements don't make things more true than non-pithy statements.

~~~
vinceguidry
[http://en.wikipedia.org/wiki/Solomonoff%27s_theory_of_induct...](http://en.wikipedia.org/wiki/Solomonoff%27s_theory_of_inductive_inference)

~~~
sitkack
Not that a link to wikipedia is even a complete sentence but having the most
huffman compressible answer doesn't make it the correct one.

From the wikipedia entry on Occam's Razor.

> In the scientific method, Occam's Razor is not considered an irrefutable
> principle of logic or a scientific result.

------
fidotron
This one is going to cause serious damage to the credibility Apple have long
been holding with many software developers. Most people seem to have tolerated
the massive quality drop in OSX since Tiger (easily their peak version) but a
bug as egregious as this which would easily have not happened with the
slightest bit of preventative quality control? Absolutely disgraceful.

Until someone else makes a laptop OS that's even half as good as OSX we're all
stuck with it.

~~~
stcredzero
_Most people seem to have tolerated the massive quality drop in OSX since
Tiger (easily their peak version)_

I would say that Snow Leopard was their peak, even though it did follow
Leopard.

------
afhsfsfdsss88
Apple: We really are holier than thou.

