back to article Apple squashes cert-handling bug affecting macOS and iOS

Apple has resolved a certification validation vulnerability affecting both macOS and iOS users. The (CVE-2017-2485) vulnerability posed a remote code execution risk on affected systems, which created a potential mechanism for hackers to craft exploits that pushed malware on to otherwise patched iThings. The flaw – discovered …

  1. Jo_seph_B

    Not the most important part of this patch....

    Cert bugs. Who cares.

    This Software Update Adds 'Siri support for cricket sports scores and statistics for Indian Premier League and International Cricket Council'.

    Let nots forget the added support for Dictation for Shanghainese. Not even sure what language Shanghainese is but I'm going to be checking it out for sure.

    1. Anonymous Coward
      Anonymous Coward

      APFS

      I'd argue that's the most important part of this update, because it is converting the filesystem from HFS+ to APFS in place. That's Apple's future filesystem, that future features and security improvements will depend upon.

      In the process of upgrading right now - but I made sure to do a quick sync beforehand, because as an long time IT pro, the idea of an in-place filesystem upgrade makes me nervous even though I'm sure they tested the crap out of it :)

      1. Anonymous Coward
        Anonymous Coward

        Re: APFS

        I'd argue that's the most important part of this update, because it is converting the filesystem from HFS+ to APFS in place. That's Apple's future filesystem, that future features and security improvements will depend upon.

        Isn't that just on iOS for now? As far as I can see it's still HPFS on the SSD so I better check as I'm quite interested in it. I did notice it was rather keen to enable FileVault which is new..

        I noticed that Keynote has finally got some intelligence in the tables, which also gives it access to the new spreadsheet function "currency" which picks up conversion rates online.

        Annoyingly, I had to update GPGmail again - Apple seems to have changed something again in Mail. I haven't checked if it can now handle attachments properly instead of treating them as mime enclosures...

    2. patrickstar

      Re: Not the most important part of this patch....

      This isn't some error that would make an otherwise invalid certificate valid. This is a memory corruption bug in the certificate handling. If it's successfully exploited, it would mean that anyone who can serve up a certificate (like any web site visited over https) can pwn you.

  2. DougMac

    Why won't Apple backport security?

    And of course, no recourse for MacOS 10.11 users (assuming they are affected as well).

    No security updates are dropped for 10.11.

    And the bugs in 10.12 still prevent me from using my normal workflow.

    Progress.

    1. MD Rackham

      Re: Why won't Apple backport security?

      You might want to check for updates before complaining too loudly.

      "Security Update 2017-001 10.11.6" is available to fix the cert bugs on 10.11 via Software Update.

    2. big_D Silver badge

      Re: Why won't Apple backport security?

      Consider yourself lucky, my iMac hasn't had any updates for several years. They stopped updating Lion a long time ago...

  3. Slap

    Why oh why

    Why oh why do these security researchers always blow their load by giving out all the details of a security problem on the release day of a fix, thus giving all the "bad actors" a chance to capitalise on the situation before some users have a chance tom do anything about it.

    OK, I understand that they give the tech companies fair warning, but they totally forget about the users who, for one reason or another, may not be able to apply the fix immediately.

    As for me I have no chance to apply iOS 10.3 or 10.10.4 before the weekend as I cannot take the risk that the updates will brick something. OK, generally they don't, but I'm in the middle of a project away from home and the office, so I'm just going to have to wing it.

    I also know that the chances of me being hit by this in the next 4 days are minimal, but please, security researchers, give us users a couple of weeks before you blurt you're findings to all and sundry

    1. big_D Silver badge

      Re: Why oh why

      Because, as soon as the software company releases the fix, the bad guys will be rumaging through the changes, looking for what has changed and seeing if they can break the old code...

      With the fair warning about what has been found, and fixed, the user has a chance to understand how important the update is and what they have to be aware of.

  4. ahmerali

    Does Apple backport fixes for older versions of their software like OSX 10.8.5 or iOS 7.1.2?

    I tend to stay behind the curve a little with new devices because I find them to be more reliable and cheaper. For example, when iPhone 6 came out, I got an iPhone 5s. The iPhone 5 is not quite 3 years old but I have not seen any updates for iOS 7.1.2 other than to upgrade to iOS 9 which sounds like a radical action.For cricket lovers we shares with you ipl season 2017 http://ipl.ccl5.com will be scheduled now. all the matches are more excited and joyful.. Hope everyone like this.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021