UPDATE: Apple has also released a patch for the version of this vulnerability on its OS X platforms, as part of the update to OS X 10.9.2. All users are strongly encouraged to download this update.
The Unofficial Skyrim Special Edition Patch (USSEP) adds meat pies to Skyrim to fix an issue where apple pie is referred to as meat pie. While a fine bug fix, the meat pie uses the same mesh though not the same texture as apple pie. This can create issues where the apple pie mesh and texture are changed causing the meat-pie texture to act up. Apr 14, 2011 Read reviews, compare customer ratings, see screenshots, and learn more about Patch - Local News. Download Patch - Local News and enjoy it on your iPhone, iPad, and iPod touch. If you're looking for 'everything local,' Patch is the app for you.
CORRECTION: An earlier version of this story said the updated version of iOS 6 would be 6.1.3. It is 6.1.6.
Apple's latest update to iOS, released Friday (Feb. 21), doesn't seem important at first. But the update actually fixes a serious security flaw, possibly caused by a single stray line of code, which leaves hundreds of millions of iPhones and iPads vulnerable to hackers.
Even worse, the flaw seems to affect recent versions of Mac OS X, for which a patch is not yet available.
MORE: Mobile Security Guide: Everything You Need to Know
If you have a device running iOS 6 or 7, and you're not connected to a stranger's Wi-Fi network, patch it now — we've got instructions below. If you're running Mac OS X on a laptop, don't use public Wi-Fi networks, even those at your favorite coffeeshop.
The flaw also affects second- and third-generation Apple TVs, which received a patch.
'I know what the Apple bug is,' tweeted Matthew Green, a cryptography expert who teaches at Johns Hopkins University in Baltimore. 'And it is bad. Really bad.'
Stay off the Starbucks network
In the Apple security bulletin issued Friday night (Feb. 21), Apple said only, 'An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS ... Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.'
Software vendors releasing emergency patches are often intentionally vague in order not to give would-be attackers any tips.
It's not clear how long the vulnerability has existed. Devices back to the iPhone 3GS, first released in June 2009, are affected, but the flaw could have been introduced in a later software update.
Apple provided no information about the exposure of Mac OS X devices to the flaw.
Google network-security engineer Adam Langley confirmed in a blog posting early Saturday (Feb. 22) that the flaw existed in OS X 10.9 (Mavericks), but added that Google Chrome and Mozilla Firefox browsers on OS X were not directly affected. (All browsers on iOS would be affected, since they're actually Safari underneath.)
To see whether the vulnerability exists on your system, try to open this URL Langley created: https://www.imperialviolet.org:1266/. If you can see a Web page, you're vulnerable.
Security firm CrowdStrike advised users of iOS devices and OS X laptops to not use untrusted Wi-Fi networks until patches had been installed.
'Do not use untrusted networks (especially Wi-Fi) while traveling, until you can update the devices from a trusted network,' wrote CrowdStrike's Alex Radocea in a blog posting. 'On unpatched mobile and laptop devices, set 'Ask to Join Networks' setting to OFF, which will prevent them from showing prompts to connect to untrusted networks.'
Regarding the vulnerability of OS X devices, Radocea wrote only, 'We expect Apple to release an update soon.'
We'll get into the technical details of this software flaw, but first, here's how to update your iOS and Apple TV devices.
How to update an iOS device
To update your iOS device, first make sure you're on a trusted, password-protected home or office Wi-Fi network. Don't use the Wi-Fi in a public place, even if it requires a password.
If your wireless carrier's 3G/4G signal strength is good and you don't mind using up some cellular data, turn Wi-Fi off.
Connect the device to a power source if possible. Some software updates take time to download and install.
Tap the Settings icon on your device's home screen, then tap General, then Software Update.
If you're running iOS 7, you'll be prompted to install iOS 7.0.6; if iOS 6, it'll be iOS 6.1.6.
Tap Download and Install. If you're prompted again to confirm the installation, tap Install.
Your device will restart when the installation is complete.
This update is for iOS 6 and 7, applying to iPhone 3GS and later, iPad 2 and later and iPod Touch fourth-generation and later.
How to update Apple TV
To update Apple TV, select Settings, then General, then Software Update.
The device will check for an available update; if your device is eligible for this one, the update will be Apple TV 6.0.2.
Select Download and Install. The Apple TV light will flash during the process, and the Apple TV will restart once the installation is complete.
The update is for second-generation and later Apple TVs.
You don't see me, but I see you
From Apple's statement, it appeared that the flaw permitted a man-in-the-middle attack upon secure Internet communications by an attacker sitting on the same local network — coffeeshop or airport Wi-Fi, for example — as the victim.
Man-in-the-middle attacks occur when an attacker intercepts a communication between two parties, and then impersonates each party to the other.
Say Alice and Betty are communicating, but Clyde stages a man-in-the-middle attack. To Alice, he pretends to be Betty, and to Betty, he pretends to be Alice. Clyde now controls the messages Alice and B are exchanging, and can read, change or redirect them without Alice or Betty being aware of his presence.
Using such an attack, a stranger sitting in a hotel lobby or cafe could intercept other people's online banking activity, social-media postings, email messages and so on. He could even try to inject malware by creating fake software downloads.
MORE: Aviator: Hands-On With the Most Secure Web Browser
You can goto your own way
Cryptography experts immediately tried to figure out what was wrong with Apple's implementation of Secure Sockets Layer (SSL), the protocol that underlies almost all Web-based secure connections.
A few figured it out quickly — and were scared at what they saw.
'I'm not going to talk details about the Apple bug except to say the following,' tweeted Green. 'It is seriously exploitable and not yet under control.'
Google's Adam Langley initially tweeted Friday evening that he was also going to 'keep quiet' about the bug.
But other software experts posted code snapshots overnight of what they believed what might be the flaw, and it made its way to online forums.
Noting that 'the cat's out of the bag,' Langley broke his silence in his Saturday blog posting, revealing that the devastating software flaw apparently derives from a single repeated line of code in Apple's open-source SSL implementation.
The code looks like this:
if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
goto fail;
goto fail;
if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
goto fail;
Notice the repeated 'goto fail;'. That shouldn't be there. Langley explained that that repeated line of code effectively disables verification of the digital signatures underlying SSL, with the result that all signatures pass the verification check and 'everything falls apart.'
'The first one is correctly bound to the if statement, but the second, despite the indentation, isn't conditional at all,' Langley wrote. 'The code will always jump to the end from that second goto, err will contain a successful value because the SHA1 update operation was successful and so the signature verification will never fail.'
Our friends in Fort Meade
The security community on Twitter indulged in gallows humor about the Apple security flaw overnight.
'iOS/OSX SSL bug is like suddenly realizing that you've been walking around without pants for the past month,' tweeted independent security researcher and journalist Ashkan Soltani. 'All your privates are exposed.'
Some joked that the National Security Agency, based in Fort Meade, Md., must have at some point in the past exploited the newly revealed flaw to snoop upon Apple users.
'I heard that in Maryland some parties 'with a privileged network position' are opening Champagne to celebrate this iOS bug,' tweeted Chaouki Bekrar, head of a French firm that finds zero-day vulnerabilities — previously unknown software flaws — and sells them to government agencies.
'More likely they're holding a funeral for it,' replied Melissa Elliott, a security researcher with Veracode in Burlington, Mass.
'I'm sure the Apple bug is unintentional,' noted Green. 'But man, if you were trying to sneak a vuln into SSL, this would be it.'
When a company like Apple rushes out a software patch for a critical security bug, it deserves praise for protecting its customers quickly. Except, perhaps, when that patch is so rushed that it's nearly as buggy as the code it was designed to fix.
Earlier this week, Apple scrambled to push out a software update for macOS High Sierra, to sew up a glaring hole in the operating system's security measures: When any person or malicious program tried to log into a Mac computer, install software, or change settings, and thus hit a prompt for a username and password, they could simply enter 'root' as a username, no password, and bypass the prompt to gain full access to the computer. Apple's initial patch came out about a 18 hours after the bug was first reported.
But now multiple Mac users have confirmed to WIRED that Apple's fix for that problem has a serious glitch of its own. Those who had not yet upgraded their operating system from the original version of High Sierra, 10.13.0, to the most recent version, 10.13.1, but had downloaded the patch, say the 'root' bug reappears when they install the most recent macOS system update. And worse, two of those Mac users say they've also tried re-installing Apple's security patch after that upgrade, only to find that the 'root' problem still persists until they reboot their computer, with no warning that a reboot is necessary.
'It’s really serious, because everyone said 'hey, Apple made a very fast update to this problem, hooray,' says Volker Chartier, a software engineer at German energy firm Innogy who was the first to alert WIRED to the issue with Apple's patch. 'But as soon as you update [to 10.13.1], it comes back again and no one knows it.'
'That is bad, bad, bad.'
Thomas Reed, Malwarebytes
Even if a Mac user knew to reinstall the security patch after they upgraded High Sierra—and in fact, Apple would eventually install that update automatically, as it has for other users affected by the 'root' bug—they could still be left vulnerable, says Thomas Reed, an Apple-focused researcher at security firm MalwareBytes. After Reed confirmed that 10.13.1 reopened the 'root' bug, he again installed Apple's security fix for the problem. But he found that, until he rebooted, he could even then type 'root' without a password to entirely bypass High Sierra's security protections.
'I installed the update again from the App Store, and verified that I could still trigger the bug. That is bad, bad, bad,' says Reed. 'Anyone who hasn't yet updated to 10.13.1, they’re now in the pipeline headed straight for this issue.'
Mac administrator Chris Franson, a technical director at Northeastern University, tells WIRED that he repeated that sequence of events and found that the 'root' bug persisted, too. But he noted that rebooting the computer—after updating to 10.13.1 and then re-installing the security fix—did cause the security update to finally kick in and resolve the issue, which MalwareBytes' Reed confirmed. They both note, however, that Apple's security update doesn't tell users to reboot after installing it. 'You could easily have someone who doesn't reboot their computer for months,' says Reed. 'That's not a good thing.'
Microsoft July Patch Issues
WIRED reached out to Apple about the flaws in its patch, but hasn't yet heard back. On Monday, the company added an extra warning to its security update page for the 'root' bug: 'If you recently updated from macOS High Sierra 10.13 to 10.13.1, reboot your Mac to make sure the Security Update is applied properly.'1
The bug in Apple's bug-fix isn't, of course, as bad as its original 'root' problem. For one, it's not clear how many High Sierra users might have installed the security patch before upgrading to the most recent version of the operating system, or even if everyone who did so is affected. Even among those who were affected, many likely have rebooted their computers, which should leave them protected.
But the shoddiness of Apple's patch joins a disturbing pattern of security missteps in High Sierra's code. Apple had already issued a rare apology for the 'root' security flaw, writing that its 'customers deserve better' and promising to audit its development practices to prevent similar bugs in the future. And even before that most recent bug blowup, researchers had already shown—on the day of the operating system's launch no less—that malicious code running on the operating system could steal the contents of its keychain without a password. Another facepalm-worthy bug displayed the user's password as a password hint when someone tries to unlock an encrypted partition on their machine known as an APFS container.
Even the fix for this week's 'root' bug has already hit snafus before this more serious one presented itself. The first version of Apple's patch broke some file-sharing functions on High Sierra, requiring Apple to put out a second version. Now Apple may have to reissue the 'root' patch yet again, says MalwareBytes' Reed.
'Anyone rushing a patch like this could very easily make a mistake,' Reed says. 'But the big question going around now is, what is Apple’s quality assurance [team] for Mac doing? I don’t know what’s going on that these bugs could have slipped past.'
This post has been updated to include Apple's addition to its security page detailing the patch.
Related Video
SecurityThe iOS 11 Privacy and Security Settings You Should Set Up Right Now
World Of Warcraft Patch Download
Heads up, iPhone owners. iOS 11 comes with a batch of security features that merit your attention.