"Apple mobile devices at risk......"

vansmith

Senior Member
Joined
Oct 19, 2008
Messages
19,924
Reaction score
559
Points
113
Location
Queensland
Your Mac's Specs
Mini (2014, 2018, 2020), MBA (2020), iPad Pro (2018), iPhone 13 Pro Max, Watch (S6)
This is only a problem if it manifests itself in something that gets out and widespread before it's patched. Here's hoping Apple beats that person/group to the punch.
 
OP
P
Joined
Sep 10, 2011
Messages
1,823
Reaction score
51
Points
48
Location
Lancashire
Your Mac's Specs
MacBook Air M1 2020 Ventura 13.4.1 500Gb 8Gb. iPhone12, Watch 5, HomePods.
Here's hoping Apple beats that person/group to the punch.

I just installed an update to iOS 7.0.6 which appeared to be a fix for SSL verification.
 
Joined
May 19, 2009
Messages
8,428
Reaction score
295
Points
83
Location
Waiting for a mate . . .
Your Mac's Specs
21" iMac 2.9Ghz 16GB RAM - 10.11.3, iPhone6s & iPad Air 2 - iOS 9.2.1, ATV 4Th Gen tvOS, ATV3
OP
P
Joined
Sep 10, 2011
Messages
1,823
Reaction score
51
Points
48
Location
Lancashire
Your Mac's Specs
MacBook Air M1 2020 Ventura 13.4.1 500Gb 8Gb. iPhone12, Watch 5, HomePods.

vansmith

Senior Member
Joined
Oct 19, 2008
Messages
19,924
Reaction score
559
Points
113
Location
Queensland
Your Mac's Specs
Mini (2014, 2018, 2020), MBA (2020), iPad Pro (2018), iPhone 13 Pro Max, Watch (S6)
Thats all you have to do, is NOT use Public WiFi and you will be ok. Thats why we have Data Plans for our phones. I never use Public WiFi anyways, so i know lim safe :)
If it's an SSL issue, I don't think it matters how you connect - the data is still unsecured. The best way around this is do as the article suggests and use applications that don't use Apple's SSL functionality (until this is patched for OS X).
 
Joined
Apr 26, 2008
Messages
2,963
Reaction score
120
Points
63
Location
Belgium
Your Mac's Specs
iPad Pro 12.9 latest iOS
With all due respect for Apple, but this is what I call serious neglect, and I choose my words careful.
This is not " just an issue", this is not just " stuff happens , we are sorry ", this is not just " no big deal ".
This is neglect, ..... deliberate ..... on purpose. This is not just " an accident ".
Having a cross platform vulnerability and willingly choosing not to close it immediately is beyond me.
Forestall had to leave for something with a lot less impact on Apple's user base.

OS X is more secure than other OS's ...... right ?

Do I need to say that I am upset, both professionally and as a user.

/END RANT

Cheers ... McBIe
 

vansmith

Senior Member
Joined
Oct 19, 2008
Messages
19,924
Reaction score
559
Points
113
Location
Queensland
Your Mac's Specs
Mini (2014, 2018, 2020), MBA (2020), iPad Pro (2018), iPhone 13 Pro Max, Watch (S6)
I think this line from the Ars article on this issue (source) speaks to what you're bothered with McBie:
Apple rarely comments on matters involving security, particularly those involving vulnerabilities that remain unpatched.
It would seem that Apple has an issue with coming to terms with security issues. Taking their sweet time to fix certain things (at this point, it is "sweet time" as this fix should have been pushed out ages ago) and then refusing to comment on it is frustrating.
 
Joined
Jan 8, 2007
Messages
28
Reaction score
2
Points
3
Your Mac's Specs
iPod 8GB Nano
So an iPhone 4 user running iOS 6.1.x is stuck without going to iOS 7...? Is that the jist with this issue, it would seem? Keeping off public WiFi would be an option...and I am not in Sochi...so...

Thoughts are appreciated. And a 5s is not totally out of the question, but that brings in the whole v6 release question....

Thx.
 

vansmith

Senior Member
Joined
Oct 19, 2008
Messages
19,924
Reaction score
559
Points
113
Location
Queensland
Your Mac's Specs
Mini (2014, 2018, 2020), MBA (2020), iPad Pro (2018), iPhone 13 Pro Max, Watch (S6)
So an iPhone 4 user running iOS 6.1.x is stuck without going to iOS 7...?
No, iOS6 has been patched.

Keeping off public WiFi would be an option...and I am not in Sochi...so...
This is an SSL issue and has nothing to do with WiFi - any data sent is susceptible to this issue. It also doesn't matter if you're on a public or private WiFi network or where you are.

Thoughts are appreciated. And a 5s is not totally out of the question, but that brings in the whole v6 release question....
The answer is simple - does the 5s do what you want? If so, buy it. If not, don't. Playing the waiting game will get you nowhere since you'll be waiting forever.
 

cwa107


Retired Staff
Joined
Dec 20, 2006
Messages
27,042
Reaction score
812
Points
113
Location
Lake Mary, Florida
Your Mac's Specs
14" MacBook Pro M1 Pro, 16GB RAM, 1TB SSD
Vansmith - am I correct in assuming that OS X users can workaround this by using a <cough>real<cough> browser like Firefox or Chrome?
 
Joined
Apr 26, 2008
Messages
2,963
Reaction score
120
Points
63
Location
Belgium
Your Mac's Specs
iPad Pro 12.9 latest iOS
Your assumption is correct as far as browser applications are concerned :)
All the other apps. are still vulnerable.

Cheers ... McBie
 

vansmith

Senior Member
Joined
Oct 19, 2008
Messages
19,924
Reaction score
559
Points
113
Location
Queensland
Your Mac's Specs
Mini (2014, 2018, 2020), MBA (2020), iPad Pro (2018), iPhone 13 Pro Max, Watch (S6)
Vansmith - am I correct in assuming that OS X users can workaround this by using a <cough>real<cough> browser like Firefox or Chrome?
From what I've read, this issue is specific to OS functionality so only that which is baked into the OS is affected. A test of this is at gotofail.com.

So yes, any browser but Safari.
 

cwa107


Retired Staff
Joined
Dec 20, 2006
Messages
27,042
Reaction score
812
Points
113
Location
Lake Mary, Florida
Your Mac's Specs
14" MacBook Pro M1 Pro, 16GB RAM, 1TB SSD
Looks like 10.9.2 is out, with the fix in tow.
 

vansmith

Senior Member
Joined
Oct 19, 2008
Messages
19,924
Reaction score
559
Points
113
Location
Queensland
Your Mac's Specs
Mini (2014, 2018, 2020), MBA (2020), iPad Pro (2018), iPhone 13 Pro Max, Watch (S6)
That was reasonably quick but this fix was one line - it should have been pushed out moments after discovery. There's no need to push this out as part of a larger update specifically.

Is it obvious that this issue really bothers me? This error was trivial (I saw a developer rip into Apple for this since decent QA should have caught this) but deeply destructive. Sure, nothing huge came of it but that's not the point (to preempt the "but nothing happened" argument).

I read an article earlier that made an interesting point. In it, someone interviewed mentioned how Microsoft is quick to admit fault and patch things while working with the community. While this makes their software looked comparatively flawed, it's actually not - MS is just much better at recognising that their software is flawed. And this brings me back to what I've been arguing forever which is quite simple: OS X is software like any other and is thus flawed, weak and prone to fault. I still think it's pretty secure but this culture/myth around OS X's impenetrability needs to stop.
 
Joined
May 19, 2009
Messages
8,428
Reaction score
295
Points
83
Location
Waiting for a mate . . .
Your Mac's Specs
21" iMac 2.9Ghz 16GB RAM - 10.11.3, iPhone6s & iPad Air 2 - iOS 9.2.1, ATV 4Th Gen tvOS, ATV3
Joined
May 19, 2009
Messages
8,428
Reaction score
295
Points
83
Location
Waiting for a mate . . .
Your Mac's Specs
21" iMac 2.9Ghz 16GB RAM - 10.11.3, iPhone6s & iPad Air 2 - iOS 9.2.1, ATV 4Th Gen tvOS, ATV3
Now have a look at this write up from AMW New iOS flaw allows malicious apps to record touch screen presses . . . iOS 7.0.6 Hmmm What happened to Apple vetting their Apps ??

The vulnerability has been confirmed in iOS versions 7.0.6, 7.0.5, 7.0.4 and 6.1.x by researchers from security firm FireEye who identified the issue and reported it to Apple. The researchers also claim they found ways to bypass Apple’s app review process, which could allow uploading an app with such touch screen monitoring capabilities in the App Store.

“We have created a proof-of-concept ‘monitoring’ app on non-jailbroken iOS 7.0.x devices,” the FireEye researchers said on Monday in a blog post.
 

cwa107


Retired Staff
Joined
Dec 20, 2006
Messages
27,042
Reaction score
812
Points
113
Location
Lake Mary, Florida
Your Mac's Specs
14" MacBook Pro M1 Pro, 16GB RAM, 1TB SSD
Joined
Dec 8, 2009
Messages
453
Reaction score
10
Points
18
Location
The same as Sheldon Cooper - East Texas
Your Mac's Specs
iMac 2014 i5 5k 32gb 1tb fusion, second TB display, 2014 MBA
The failure from a programmers view.

This soliloquy is for programmers, but feel free to read it anyway.

By now, most have seen the now famous Goto Fail of the current OSX/IOS security failure (that this thread is about). Most articles I have read all talk about how it is just a finger check where he/she hit insert twice. I think it is a reason to condemn the shortcuts built into C-type compilers.

C (and Perl and…) allow an IF statement construct to assume the curly brackets exist if the conditional statement has only one line, like so…

if (some condition)
Goto Fail;

Obviously, the code under the gun at the moment…

if (some condition)
Goto Fail;
Goto Fail;
Important code past this point will never be executed, like SSL checking and stuff that you might want when you surf.

The second Goto statement will alway be run, no matter what the result of the if condition and of course, that is the cause of the failure we are discussing.

Now, if the programmer had used the proper construct with curly brackets, and hopefully an editor that checks such, the OSX code would have looked like this…

if (some condition)
{
Goto Fail;
Goto Fail;
}

Not only would he/she have had a much greater chance of noticing the finger check paste, but we wouldn’t be talking about failures of OSX now, since the second and wrong Goto would NEVER be accessed. It can’t be. Had the test been true, the first Goto would be properly run, and if failed, the entire construct inside the brackets would have been ignored. Someday, a programmer might stumble across the code and call out, “Hey, look at this dummy goto statement. Wonder who put that in?” but it wouldn't be a major topic of conversation among users now.

End of 2 cents.
 
Joined
May 19, 2009
Messages
8,428
Reaction score
295
Points
83
Location
Waiting for a mate . . .
Your Mac's Specs
21" iMac 2.9Ghz 16GB RAM - 10.11.3, iPhone6s & iPad Air 2 - iOS 9.2.1, ATV 4Th Gen tvOS, ATV3
How does one install an app that hasn't been published in the App Store on a non-jailbroken iDevice?

Perhaps they're making the assumption they can sneak it past Apple's QC?

My thoughts exactly Chris.

I would of thought that it was going to be more vulnerable on the JB devices and the Cydia Store and a rouge Repository. Its not something i would of thought could get through the loop hole of the Apple Eco System. Then again, we have a SSL problem don't we.
 

Shop Amazon


Shop for your Apple, Mac, iPhone and other computer products on Amazon.
We are a participant in the Amazon Services LLC Associates Program, an affiliate program designed to provide a means for us to earn fees by linking to Amazon and affiliated sites.
Top