Ride the Lightning
Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.
Apple: Red with Embarrassment
February 25, 2014
This guest post is by my partner John Simek, who shook his head and muttered at length when reading this story at our kitchen table:
Apple released an update on Friday to fix an error in the way SSL (Secure Socket Layer) connections are validated. It has quietly pushed out iOS 7.0.6 and 6.1.6 for its mobile devices. The simplicity of the bug is astonishing. Essentially, the code is supposed to verify that the SSL connection is valid. However, there was an extra ‘go to’ statement in the code that bypassed a validation step. In other words, forget about the rest of the checks and just keep on trucking. Apparently checking for a valid digital signature isn’t important enough for the code to be exhaustively reviewed by experienced programmers. Truly a major league embarrassment.
Unfortunately, it doesn’t end with an incompetent programmer. The geniuses at Apple didn’t check to see if the same issue existed in their Mac operating system. As you may have guessed, the same problem was found in OS X 10.9.1. Having been caught with its corporate pants down (again), Apple announced that a fix is on the way. So don’t try to connect to any secure sites using Safari until the patch arrives.
Listen to the Podcast
