Major Apple security flaw could allow hackers to pwn iOS devices, computers

Joe Menn at Reuters: "A major flaw in Apple Inc software for mobile devices could allow hackers to intercept email and other communications that are meant to be encrypted, the company said on Friday, and experts said Mac computers were even more exposed." There's an OS update.

How bad is it? "It's as bad as you could imagine, that's all I can say," said Johns Hopkins University cryptography professor Matthew Green.

Notable Replies

  1. Maybe people are just holding it wrong?

  2. riking says:

    This is the correct URL to test:

    https://www.imperialviolet.org:1266

    (This bug is CVE-2014-1266, hence the port number).

    Chrome will show a webpage unavailable, with "ERR_FAILED" when you click More.

    Firefox will show a screen detailing the exact certificate problem.

  3. gwwar says:

    I'm amused that everyone thinks Apple is so infallible. Sure, the NSA could be doing this, but Apple doesn't have the best track record at security or bothering to patch those holes. I mean who releases a security fix for iOS and then there's no emergency patch for OSX? It's a fucking one liner.

    Also, remember this gem? A debug flag left passwords in plain text in log files, and they couldn't be bothered to fix it until 3 months later when it was discussed on a crypto mailing list.

    Gross incompetence or malice? I would need to see a bit more circumstantial evidence for the latter. What does git blame say? For example, someone hacking into a CVS server to slip in two lines of code is definitely a backdoor attempt. This? This could just be an idiot.

    Anyway, the hacker news discussion on this is also amusing, if only for the fact that people think OpenSSL is written by monkeys and that there have been similar OpenSSL fiascos in Debian.

Continue the discussion bbs.boingboing.net

61 more replies

Participants