The Dangers Behind Apple's (err... Linux's) Epic Security Flaw
So last week I read this article on The Verge:
I personally find the security flaw very serious, but the headline is kinda funny considering Apple response time to fix the flaw once they became aware of it, especially since they delivered the fix to over 80% of devices in a matter of days.
Meanwhile in the Android camp, 73% of users are still vulnerable to serious security flaws that are several years old because the fixes are available only to a small number of devices. I don't blame The Verge for running the headline on Apple because the failure in the iOS and OS X SSL implementation was very serious. I just find it amusing that Android security vulnerabilities seem to be par-for-the-course and nothing is considered "major" or "epic" about these vulnerabilities.
Then I came across something very interesting today on Ars Technica..... According to this article, a flaw in the Linux implementation of the TLS security layer has left Linux open to a worse vulnerability since 2005 (yes that is 9 years). Now I don't think most tech web sites are going to run with this story. Ars Technica is awesome about providing insight into things that matter and not just things that will draw page views.
The scary thing about this is that enterprises have been using Linux and the flawed TLS implementation for years and that means enterprise data has been vulnerable if it has travelled over the internet. The other scary thing is that in neither case (Apple nor Linux) have unit tests caught the vulnerability (and they should have). Finally, the similarity of these defects points to the NSA infiltrating both source repositories with under-cover operatives and planting the defects (but, that's the conspiracy theorist in me talking). If we start seeing similar defects from Windows and other operating systems then the case for NSA infiltration gets much stronger.