Apple releases OS X 10.9.2 update, patches severe SSL bug

Apple releases OS X 10.9.2 update, patches severe SSL bug

Summary: Apple has released OS X 10.9.2 update for all Maverick users, which, amongst other things patches the SSL bug in the operating system that could allow full transparent interception of HTTPS traffic.

TOPICS: Security

Apple has released OS X 10.9.2 update for all Maverick users, which, amongst other things patches the SSL bug in the operating system that could allow full transparent interception of HTTPS traffic.

This vulnerability not only affected Safari, but also other installed applications relying on an encrypted channel to the internet. However, third-party browsers such as Chrome and Firefox rely on different implementations of SSL/TLS, which means that they aren’t subject to the vulnerability.

The bug, which has apparently gone unpatched since iOS 6's release in 2012, resides in a piece of open source code used by Apple.

Aldo Cortesi, CEO and founder of security consultancy firm Nullcube, claimed to have intercepted iCloud data, including KeyChain enrolment and updates, data from Calendar application, and traffic from apps that use certificate pining, such as Twitter.

"Nearly all encrypted traffic, including usernames, passwords, and even Apple app updates can be captured."

The SSL bug also affected iOS users, but a patch was pushed out last week to iPhones (4 and later), iPod touch (5th generation) and iPad (2nd generation and later) users closing down the vulnerability.

The vulnerability is not present in versions of OS X prior to OS X 10.9 Mavericks or iOS prior to iOS 6.

The update, which weighs in at 460MB, also brings other bugfixes and a raft of new features to Mavericks, including:

  • The ability to make and receive FaceTime audio calls
  • Call waiting for FaceTime
  • The ability to block incoming iMessages from other users
  • Improves AutoFill in Safari
  • Fixes a sound issue on the Mac
  • Fixies a VPN issue

For a full listing on the security patches in this update, visit the Apple site.

Given the severity of the SSL bug it is highly recommended that you install this update as soon as possible, and delaying could leave your data vulnerable to being harvested. While there haven't been any credible reports of any criminals using this vulnerability, it's better to be safe than sorry.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Only five days after zero daying us, by letting the world know through iOS

    7.0.6 that OS X was vulnerable and unpatched!

    Not impressed, but definitely relieved.
    • Man in the middle attacks

      Are not trivial to pull off, so while it's good the patch is out, the past four days were not the apocalypse.
  • Re: Apple releases OS X 10.9.2 update, patches severe SSL bug....

    That makes sense as OS X 10.9.2 was all but finished with the final pre build (13C62) being released to developers last week.
  • Laziness

    That's what happens when software makers don't update the third-party libraries they use, in this case OpenSSL.
    • Safari doesn't use OpenSSL

      It uses a library of its own creation, in WebKit and Darwin, called SecureTransport.
  • SSL

    I think that's a pretty good turn-around. Only 5 days to identify the issue, test it and then release it to the public.

    Not sure it could have been done much better than that.
    • Apple knew more than 5 days ago

      As the 10.9.2 update was send to, specific testers last week. Still it shows they are trying to keep up with the"baddies", rather than trying to deflect (as some other Multinational Mega Corp always does).
      I hate trolls also
    • Unpatched since ios 6

      "The bug, which has apparently gone unpatched since iOS 6's release in 2012, resides in a piece of open source code used by Apple."

      Try two years to fix the bug.
      • Bug or BackDoor

        More importantly, what is the name of the person who inserted the "goto error" line 2 years ago?
  • Now the bug is fixed

    I'm sure nothing else could possibly go wrong.
    • There is always a possibility.

      But if you go by track records, other companies (Microsoft, Adobe, Mozilla) do not have perfect records either.
      I hate trolls also
  • Is it patch Tuesday already again?!

    ... oh wait, that's Microsoft - having to patch their systems every week. My bad.
    • Microsoft patches

      Once a month, not once a week. Some of the recent High Profile patches have affected everything from Windows 2000, through Windows 8. So I guess some vulnerabilities have gone 14 yeats before being patched.
      I hate trolls also
    • Your bad indeed

      Sorry ruining your joke but Patch Tuesday is second Tuesday of the month, not every week.

      But at least it's on a fixed schedule so IT can plan their patch management, not peek-a-boo updates like Apple.
      • Let's take SharePoint 2013 for example ...

        ... installed SP2013 in November, run patch updates in February and there were over 107 patches waiting to be applied to both Windows and SP.

        I'm not saying Apple or Microsoft patching is better; but why do Microsoft's products have so many patches and so frequently?! ... It doesn't exactly shine that its a secure product. Perhaps its just bad programming, who really knows.
        • Unless you feel there are significantly more vulnerabilities in Windows...

          ...more patches means Microsoft is doing a better job of patching them. IOW I'd rather see more patches than less (unless less means less vulnerabilities...which I doubt in anything the size of a modern day OS).
          • If you count up patches

            in the various systems that now update in real time, they probably all number in the dozens. The patch count should be considered fairly unremarkable. In the old days you had to wait for a technet CD, and they would roll up the fixes in a big service pack.

            Now you can patch as soon as there is a code drop for a fix... hard to see the downside in Internet-time patching, personally.
        • Simple

          Apple bundles their patches into a group. If one bad fix happens, it ruins the whole thing. If one bad patch happens with Windows, people can just remove the bad patch and call it a day.
          Michael Alan Goff
        • Did you missed Dec update?

          You're mixing up Windows and SP patches.

          SharePoint server is not on the same patch channel as other Office System, since it's going to be a SP1 I can see why they skipped Jan cumulative update and just roll that into SP1.

          If you have specific SP issue you can always file a support ticket and download a hotfix.

          Also number of patches, and by extension vulnerabilities, has nothing to do with how secured of a system. It just mean how often vulnerabilities being found in a system.

          For example, Mac OSX has 63 vulnerabilities in 2013:

          While Windows 8+ 8.1 has total of (58+7) 65:

          By statistics Mac OSX is no more or less secure than Windows. But patch more often would be better because patch often = less time system spent in vulnerable state

          What's different is Microsoft actually open to acknowledge their vulnerabilities through Trustworthy computing initiative/Trusted Computing Group/security bulletin rather than keeping it secret like Apple.

          For years Apple has been enjoying less attention from the hacker, but nowadays "Security through obscurity" is simply not an option for Apple anymore.
      • There are pluses to each system

        Microsoft has a long history of patches screwing up third party software. That has been documented for decades, and some of it was intentional. Apple doesn't have such a track record. If Apple were to wait a month, after it was documented, imagine the crap the press would give them. Iy as been documented that some Microsoft patches affect every version of Windows (some as old as 14 years ago), yet there is no "Moral outrage". I say he same outrage should be leveled at everyone, or no one at all.
        I hate trolls also