It was completely irresponsible not to release the OS X fix at the same time as the ios fix. Apple also needs to setup a way to alert users when an update fixes an important security fix.
None of my ios devices asked to install the fix and I had to do a manual update check. This should not happen for major security issues.
Also, the ios over-the-air update refused to download over 3g even though it was only 10mb. I couldn't even manually update until I got back home much later :-/
(Last time I tethered to a friend's android phone!)
I am kind of amazed that that works. What's going on - does the baseband have its own IP stack, which it somehow shares to the computer, which then declares its own mini-lan and lets the iPhone on at a higher level such that iOS uses that preferentially?
That's bizarre; I'm tempted to try it out when I get back to a country in which I have mobile data.
"More happening in this iPhone, I feel, than has been revealed"
You can do that with a routing/forwarding table in any OS [that provides access to routing/chains]. Forward+NAT the cable tether to the 3G network, but keep the default gateway to WiFi, so the local applications will not use the 3G.
Blame limitations to wireless air delivery on telcos. They have it at 100MB now limit but before it was 50MB and before that it was 20MB. They telcos prevented files/apps over that size from being transmitted over their wireless networks.
Yep, but Apple really should have increased the limit for updates to match the limit for app sizes. It's pretty ridiculous that you can download as many 99mb app installs and updates as you want, but be denied a 10mb critical security patch over 3g.
It's just silly stupid.
But you can get social with a friend, then turn on your personal hotspots and connect your iPhones to install security update. Sort of like a LAN party.
Speculation, but it makes me wonder if there’s a part of the story we’re not hearing yet.
Because yes, why not even hold the iOS fix for a day or two until they can both be pushed together? Obviously that’s not good, but isn’t it better than basically making an implicit irresponsible disclosure against your own operating system?
Maybe this bug is being exploited in the wild already and that’s the reason for the urgency?
Again, not that this should not be urgent, but why help your iOS users and at the same time potentially harm your OS X users? It just seems like a really weird decision.
They periodically check for new updates. You probably just happened to have a periodic check occur shortly after the update came out, just by pure chance. Everybody should see that prompt eventually, but it may take a day or two.
A day or two for an important security update is too long.
I heard about this thing yesterday on HN and did the update manually. My dad and sister's iOS devices hadn't notified them yet when I told them about it today, more than 24 hours later.
It should be a given that Apple provides a fix for OS X as soon as possible. On the other hand, it is telling that Apple gave priority to iOS.
(Although priority is relative even for iOS. We have many iOS devices in the family and not a single one had asked to install the fix until yesterday evening. The fix, however, was available after a manually initiated update check.)
> On the other hand, it is telling that Apple gave priority to iOS.
Maybe not. It could just be that OSX has a higher testing effort. There is a bigger spread of versions across the OSX platform than iOS. And also Apple does have quite a few hardware specific builds of OSX they need to test.
I find this hard to believe. After using 10.8 and 10.9 over the last year, the sheer number of bugs is embarrassingly high. Every day, something was breaking for me. They have a serious QA problem i.e. they're either doing it wrong or not at all.
On OS X, only Mavericks is affected (10.8 is fine), which should reduce the number of software SKUs affected. Although their insistence on making it free & compatible with as many Macs as possible does mean around 46% of all Macs in use today are affected.
Honestly, iOS got it first because it's used by more people. And it's been clear for the last few years that Apple doesn't have two proper teams working on each OS. Which is ridiculous for a company of Apple's size.
C'mon Apple.. This is (as far as i understand) a one-liner fix! In opensource land this would be fixed and packag-manager-updatable in less then 24hrs. Probably less then 6.
The fact that it takes sooo long, and that the fix will be bundled in a blob with all sorts of other "fixes" gives me the feeling that one attack-vector cannot be closed until another is available. I got this feeling years back when a huge back-door-enabling was not closed for months until big fat service pack was issued that "fixed" it (amongst fixing a million+1 other things; probably opening the next attack-vector).
Consider that this fix doesn't just remove the goto, it enables code that previously wasn't being run or tested. They need to verify that it works and doesn't segfault, otherwise important services (like the update system itself) could end up being broken. This includes testing on all Macs that can run Mavericks, which is a larger and more complex set of hardware then iOS.
This. Apple caters to millions and millions of people, acting rash and pushing out a fix that's not thoroughly tested could cause a lot of damage to their brand. The sad fact is the majority of people wont/don't care about this issue so it's not in apple's best interest to push out a fix that isn't thoroughly tested.
Please, stop it with the strawmans. Microsoft can push an update like this in a day, and Windows runs on .. well every hardware ever made to run anything.
Umm...they can? Do you have any examples of this? All this time, has it just been that Windows security vulnerabilities have been found on the second Monday of every month?
> Consider that this fix doesn't just remove the goto, it enables code that previously wasn't being run or tested.
Good point. Still the update will likely come as part of a large blob.
Finally, I'm just disagreeing with the "tech savvy" crowd going en-masse for Apple products. OSX is a huge step fwd to Windoze in terms of internal software architecture -- yet it carries the same risk as it is proprietary and closed in parts that are critical to its security.
Yes Mr IT-geek; your MBP is probably rooted from the moment you opened the box.
I'm not 100% sure, but I think that the Mac update system actually uses this code - if it starts failing they can't send out any more signed updates to people. Far better to wait one or two days more to make sure that you're not about to break some of the more important functionality in the OS, I would think.
C'mon Apple.. This is (as far as i understand) a one-liner fix! In opensource land this would be fixed and packag-manager-updatable in less then 24hrs. Probably less then 6.
That was my first thought as well, but on reflection this sort of logic has a certain "quality." (Yes, that's a reference.)
As metric10 mentioned, that even a one line change can cause failure somewhere else in the system and they have to be confident that the new code that is being executed that wasn't before actually works before release it out to the general public where it could cause more harm. The fix may be simple but the cascading effects from the fix need to be well understood before releasing.
So, how do we trust this update given a) we don't know for sure that the original bug was an honest mistake, and b) the encryption checking mechanism is blown so the update to fix the bug can be hijacked.
I was just reading through Adam Langley's description of the bug and this jumped out at me:
> The code will always jump to the end from that second goto, err will contain a successful value because the SHA1 update operation was successful and so the signature verification will never fail.
Wait, Apple still uses SHA1? Are they aware it's banned from use (by NIST, no less) starting with this year?
I don't think you understand what the code is doing.
This is verifying certificates for HTTPS connections - not creating them. If they removed the SHA1 verification, you can no longer visit hundreds of millions of sites that haven't updated their certificates yet.
It's the people still using certificates with SHA1 hashes that need to upgrade.
> "I believe that it's just a mistake and I feel very bad for whomever might have slipped"
There has been such a rush from many places to cast this as a "mistake". We just don't know whether this was deliberate or a mistake, anything else is just an opinion. I don't see one explanation being less likely than the other, it's annoying to see one explanation being pushed more than the other.
If anything, I'd assume both Apple and the NSA can find people who can sneak an intentional bug in that's a lot harder to spot than an extra "goto fail;". I've also seen enough silly bugs (1) result from merges or other tedious mechanical changes, and (2) escape detection in code review that I don't find it that hard to believe this was unintentional.
It's amazing how elusive the obvious can be when your mind's on something else. Given that, I personally assume good faith until there's significant reason to doubt that assumption.
Is it possible that this bug was deliberately planted? Sure. Is it equally likely that this bug was deliberately planted as it is that the bug was a mistake? I say no, Occam's razor being the main reason for making that distinction.
This one is going to cause serious damage to the credibility Apple have long been holding with many software developers. Most people seem to have tolerated the massive quality drop in OSX since Tiger (easily their peak version) but a bug as egregious as this which would easily have not happened with the slightest bit of preventative quality control? Absolutely disgraceful.
Until someone else makes a laptop OS that's even half as good as OSX we're all stuck with it.
None of my ios devices asked to install the fix and I had to do a manual update check. This should not happen for major security issues.