Why single out Apple? Google also have billions they could theoretically spend on code review, yet they introduced the OpenSSL bug into Android's source code.
I think MS is the best at quality management at the moment. Open source projects don't have resources and open source does not really help if there's only a handful of people able to look at the code critically. Apple updates seem frantic. I think they did not really pay much attention to it, security by obscurity mantra is biting them in the arse now.
That does not look like a good deal for Apple. They are pressed to synchronise with Google's schedule. MS is better off doing it their own way, they can better assess the risks and schedule the fixes.
It is open source. It happens with everything the same there, so Google has to work with others schedules too.
I'm quite sure Apple find an occasional bug themselves too.
Blink came about because Apple business focus is not really on the open web engines. Google's certainly is.
Perhaps its time to update the compilers a bit with some extra checking tools, i can remember a 1970's mainframe cobol compiler that could spot unused/unreachable code so its not going to be impossible for something these days to spot it unless you're doing some really dodgy assembly language stuff
and that goto fail code looks like a bit of a friday afternoon after a few jars cut and pasting and forgetting to tidy it up, probably meant to do it monday but then got sidetracked and never got around to fixing it
"OpenSSL Software Foundation President Steve Marquess wrote in a blog post last week that OpenSSL typically receives about $2,000 in donations a year and has just one employee who works full time on the open source code."
I'd say for the money it is pretty fantastic
As for the static checking during compilation, it may help with the Apple gotofail, maybe, but certainly not with the Heartbleed. It was an error on semantics level, they forgot to check the actual heartbeat message length when in its envelope and the length it claimed it to be. No chance to catch it. Now that they know they can scan the code if they check it everywhere though. They would have to use segment descriptors for each pointer like 286 processors did in protected mode to catch it
I got an e-mail from Newshosting about it, saying they hadn't been affected, but if password was used for another site as well, then best to change it, its not like, but i changed it anyway.
I got an e-mail from Newshosting about it, saying they hadn't been affected, but if password was used for another site as well, then best to change it, its not like, but i changed it anyway.
I was reading an article on Time.com and there was a line:
"After companies began fixing the security vulnerability, many sent emails urging users to change their passwords."
I got one email from Gearbox software and that was it.
Did many companies advise their customers to change their passwords?
Apparently there were complaints for some time about OpenSSL being a poorly run project, so maybe it was just incompetence.
A project run by volunteers with other real jobs poorly run? Surely not!
Even those "paid" to work on for larger companies (talking Oracle, RedHat, etc) would have had doing so with the corporate goals of their employers in mind.
There is some really funny stuff going on. I'm guessing that since the Snowden event people are playing Sherlock to discover NSA planted security flaws.
So much for the mightiest securest Linux. It turns out people just did not want the vulnerabilities found and closed, because they need them for their work. And this one really takes the prize. With Heartbleed you would have to sift through raw data and hope to find something you can interpret and which is interesting. With this one you just tell the partners in an encrypted conversation to talk slower so you can understand them better Given how much panic Heartbleed caused this one deserves a proper meltdown, IMO. And these are charms of an open source. We are just lucky that this Japanese gentleman told us and did not feel like exploiting it himself. But how many others did? Having the code to analyse you can work systematically, Also who's going to refuse a competent programmer to help for free to improve the code? In closed projects like MS, it has to be an insider job to do something similar. Throwing things at the black box code and hoping something will stick is very ineffective.
This one isn't anywhere near as bad as Heartbleed (or even Goto Fail).
It requires both the server and client to be using a flawed version of OpenSSL. The only common web browser using OpenSSL is Chrome on Android.
Of course, SSL and TLS are used by a lot more services than just the web and OpenSSL is more prevalent there, but i still don't think this bug comes anywhere close to Heartbleed levels of bad.
I think the discovery of this bug so soon after Heartbleed is a good thing. It means that attention is now focussed on OpenSSL and so bugs should get fixed more quickly.
It requires both the server and client to be using a flawed version of OpenSSL. The only common web browser using OpenSSL is Chrome on Android.
Isn't Android the most popular mobile OS and Chrome the most popular browser for it? Big things can happen on small devices, just because desktops are not involved this time it does not mean it's not dangerous. How about various banking apps for Android? They may use the same flawed OpenSSL, too.
I'm not saying this isn't bad, just that it's not as bad as Heartbleed.
It's entirely possible that banking apps on Android (or iOS or even Windows phone), etc could be vulnerable but it requires the bank's server to be using a vulnerable version of OpenSSL (and they've had enough notice to update the server by this point) and for someone to be sitting between your device and bank to force weak encryption.
I'm not too worried about this one, and can't think of any way it would actually bite me with any applications i actually use.
With Heartbleed you get blocks of raw data. You need to analyse that and maybe you find something of interest there. There's a possibility you can fish out private keys, maybe passwords, but maybe it's just unusable rubbish. It takes quite an effort. With this one you just have to monitor communication and inject yourself in it and you get everything on a plate. Apparently this was around for years, so it could have been used extensively. Not every exploit has to be destructive or visible. Sometimes it's enough to just collect the information.
I think it's quite likely the powers that be have used such exploits to their advantage for a very long time. Especially as some of these vulns have existed for many years. They probably have many more exploits in their arsenal they use which aren't as widely known too.
Nevertheless it's ultimately a good thing that these are getting publicity now.
Comments
OpenSSL were paupers whilst Apple has billions at its disposal.
So which was most incompetent?
Me, as likely as not I think there is a fair chance that both were there on purpose.
Fail.
https://www.imperialviolet.org/2014/02/22/applebug.html
What I am slightly curious about is how come this new one got branding/marketing tagged.
Apple's didn't.
They act on Googles advice. a majority of holes are found by Google.
And when Google fix Blink Apple have to act ultra fast on Webkit.
I'm quite sure Apple find an occasional bug themselves too.
Blink came about because Apple business focus is not really on the open web engines. Google's certainly is.
and that goto fail code looks like a bit of a friday afternoon after a few jars cut and pasting and forgetting to tidy it up, probably meant to do it monday but then got sidetracked and never got around to fixing it
Microsoft often carry all their bugs dating back beyond WIndows XP.
"OpenSSL Software Foundation President Steve Marquess wrote in a blog post last week that OpenSSL typically receives about $2,000 in donations a year and has just one employee who works full time on the open source code."
I'd say for the money it is pretty fantastic
As for the static checking during compilation, it may help with the Apple gotofail, maybe, but certainly not with the Heartbleed. It was an error on semantics level, they forgot to check the actual heartbeat message length when in its envelope and the length it claimed it to be. No chance to catch it. Now that they know they can scan the code if they check it everywhere though. They would have to use segment descriptors for each pointer like 286 processors did in protected mode to catch it
I was reading an article on Time.com and there was a line:
"After companies began fixing the security vulnerability, many sent emails urging users to change their passwords."
I got one email from Gearbox software and that was it.
Did many companies advise their customers to change their passwords?
A project run by volunteers with other real jobs poorly run? Surely not!
Even those "paid" to work on for larger companies (talking Oracle, RedHat, etc) would have had doing so with the corporate goals of their employers in mind.
Is a 2nd gaff just coincidence then?
This one isn't anywhere near as bad as Heartbleed (or even Goto Fail).
It requires both the server and client to be using a flawed version of OpenSSL. The only common web browser using OpenSSL is Chrome on Android.
Of course, SSL and TLS are used by a lot more services than just the web and OpenSSL is more prevalent there, but i still don't think this bug comes anywhere close to Heartbleed levels of bad.
I think the discovery of this bug so soon after Heartbleed is a good thing. It means that attention is now focussed on OpenSSL and so bugs should get fixed more quickly.
Isn't Android the most popular mobile OS and Chrome the most popular browser for it? Big things can happen on small devices, just because desktops are not involved this time it does not mean it's not dangerous. How about various banking apps for Android? They may use the same flawed OpenSSL, too.
It's entirely possible that banking apps on Android (or iOS or even Windows phone), etc could be vulnerable but it requires the bank's server to be using a vulnerable version of OpenSSL (and they've had enough notice to update the server by this point) and for someone to be sitting between your device and bank to force weak encryption.
I'm not too worried about this one, and can't think of any way it would actually bite me with any applications i actually use.
We also learn that they haven't fundamentally cracked the encryption.
So we can reasonably assume that this or something or somethings like this are what they use.
Nevertheless it's ultimately a good thing that these are getting publicity now.