Wednesday, February 26, 2014

Apple fanboys, update now

Apple just closed a pretty nasty security hole:
Apple has released OS X 10.9.2 which, you'll be delighted to know, improves the "accuracy" of the unread message count in Mail, and fixes the autofill feature in Safari among other little tweaks.

It also just so happens to snap shut a gaping security vulnerability that potentially allowed hackers to hijack users' bank accounts, read their email, steal their passwords, and compromise other SSL-encrypted communications.

On Friday afternoon, the Cupertino giant updated iOS 7 and 6 for iPhones, iPods, iPads, and Apple TVs to squash a flaw that knackered the integrity of SSL connections: a programming bug caused Apple's SSL code to skip over vital checks of a server's authenticity when establishing a connection. Apps affected by the flaw were left with no way to securely prove who they were talking to over the network.
The updates are for iPhone (you will by now have seen the message saying that an update is available) and for OSX.  The OSX update is here.  iPhone update is available via iTunes.

If you have any question whether you need the updates, take your safari browser to a test at gotofail.com.

4 comments:

Dave H said...

When I read "a programming bug caused Apple's SSL code to skip over vital checks" I hear "a programmer skipped over vital checks in SSL code." Said programmer would be subject to public flogging if it was my shop.

Borepatch said...

Better security via public floggings?

;-)

Dave H said...

Just holding people accountable. Blaming it on a programming bug is the kind of misdirection you'd expect from a bureaucracy. Have you ever known a bureaucracy to make anything secure? Besides their own jobs, I mean.

Dave H said...

Plus I've spent most of the last two weeks dealing with devs who are determined to misunderstand simple instructions. I'm a bit cranky.