13 comments

[ 3.2 ms ] story [ 39.5 ms ] thread
I'm sure everything that linked against it is vulnerable, and as soon as we have an update, they'll all be OK.

I just wish the update were out now.

Interestingly enough, I just checked a system with Snow Leopard using Safari and Firefox and it seems that both do not have this vulnerability.

I can't say when this was introduced, but if it is in Mavericks, it must have gotten there sometime between Lion and Mountain Lion.

There's one major problem: software updater itself is vulnerable. So in theory the only way to get a clean system is to download a fresh, fixed installer via a channel that's not affected and reinstall. What a mess.
This is a problem only if updates are not signed.
No, it's not. The updater needs to know the correct signatures and it doesn't have a trusted way of retrieving them. Also, any previous update may have been malicious and replaced the updater. The updater may very well have embedded keys, but we don't know, so the secure option would be not to trust it.
That's not how signing works. Also, if the signing is indeed implemented correctly, then the updater cannot have been compromised earlier.
The updater verifies the signature using the public counterpart to Apple's current private key. It can only be changed by updating the updater (or a separate keys-only package), with the correct signature.

Or at least that's how it's supposed to work.

Most iOS users have not gotten the update notification yet. And many of those who have are waiting to apply the update since it requires a reboot. In addition, the update is only available for iOS 7.0.5 except for the 3GS and its iPod Touch equivalent. There is still a substantial number of iOS users on iOS 6 – usually not by incident …
This and the fact that they didn't release the OS X patch at the same time as the iOS patch constitutes a total FUBAR: The mistake they made was so basic that one wonders why on earth some junior / non-sec developer was working on a critical security component. Heads should be rolling.

If I understood correctly, they were also intermixing tabs and spaces (the web view implied so), so they also have that problem. (Just require spaces and ban tabs automatically so you know there's no way anyone can fuck things up).

Rule 59 from the Joint Strike Fighter C++ coding guide[1] calls out exactly this bug (with example bad code similar to Apple's bug): all if/while/for bodies must be enclosed in braces. Some other notable guides, like those frmo Google and NASA, do not require this. I thought it was a good idea before, and very good idea now.

[1]: http://www.stroustrup.com/JSF-AV-rules.pdf

It's a useless rule unless you have a tool that enforces it - because it is easy to violate without noticing.

If you have a style checker that enforces, then this rule is acceptably useful. However, if you already have a checker as such, why not have it check indentation (and multiple statements per conditional statement), and catch a larger class of bugs?

Personally, I think Google/NASA is right, and JSF is wrong.

like they said after kicking forstall out: teams will be working together much closer.