New security vulnerabilities in iOS and Linux discovered

Discussion in 'Main Forum' started by Prometheus, Mar 9, 2014.

  1. Prometheus

    Prometheus Administrator Staff Member

    Recently some serious security flaws have been discovered in both Apple's iOS and several Linux versions. The "take home" is that no platform is somehow above security flaws as long as humans are writing code. No kidding, right? But there are some who believe that you only have to worry about security flaws if you use some version of Windows, and that is just not true. Keep you systems as updated as possible, regardless of your chosen operating system.

    The new flaw in iOS would allow a bad guy to collect all your key presses, among other things, possibly collecting passwords. An article on this flaw appeared on 24 Feb, 2014, in Ars Technica, linked here.

    Another flaw in OS X and iOS was patched in iOS 7 and OS X version 10.9.2 very recently, so make sure you're up to date on patches. That flaw allowed an illegitimate site to impersonate another website, and it was cause by a simple "cut and paste" error in the source code where the identity of a website is verified. Below is an excerpt from the flawed source code:

    Goto-Fail-Source-Code-Flaw.png

    It's a very instructive example of how very simple, easy-to-make mistakes can create critical flaws in software that may go undetected for years. People familiar with the C programming language will recognize that the error causes key portions of code after line 12 to be accidentally skipped entirely! Line 13, for instance, is never, ever, executed under any circumstances, and that isn't what the programmer intended. This flaw is known as the "Goto Fail" flaw because of the above. It is described more here.

    A similar flaw was just discovered that affects at least the Red Hat, Ubuntu, and Debian distributions of Linux. Like the above "goto fail" flaw, it allows a bad website to impersonate any other website (like say, your bank), so it's a significant security flaw. It is described in this 4 March, 2013, article.
     

Share This Page