Apple releases OS X 10.9.2 update, patches severe SSL bug

Summary:Apple has released OS X 10.9.2 update for all Maverick users, which, amongst other things patches the SSL bug in the operating system that could allow full transparent interception of HTTPS traffic.

Apple has released OS X 10.9.2 update for all Maverick users, which, amongst other things patches the SSL bug in the operating system that could allow full transparent interception of HTTPS traffic .

This vulnerability not only affected Safari, but also other installed applications relying on an encrypted channel to the internet. However, third-party browsers such as Chrome and Firefox rely on different implementations of SSL/TLS, which means that they aren’t subject to the vulnerability.

The bug, which has apparently gone unpatched since iOS 6's release in 2012, resides in a piece of open source code used by Apple.

Aldo Cortesi, CEO and founder of security consultancy firm Nullcube, claimed to have intercepted iCloud data, including KeyChain enrolment and updates, data from Calendar application, and traffic from apps that use certificate pining, such as Twitter.

"Nearly all encrypted traffic, including usernames, passwords, and even Apple app updates can be captured."

The SSL bug also affected iOS users, but a patch was pushed out last week to iPhones (4 and later), iPod touch (5th generation) and iPad (2nd generation and later) users closing down the vulnerability.

The vulnerability is not present in versions of OS X prior to OS X 10.9 Mavericks or iOS prior to iOS 6.

The update, which weighs in at 460MB, also brings other bugfixes and a raft of new features to Mavericks, including:

  • The ability to make and receive FaceTime audio calls
  • Call waiting for FaceTime
  • The ability to block incoming iMessages from other users
  • Improves AutoFill in Safari
  • Fixes a sound issue on the Mac
  • Fixies a VPN issue

For a full listing on the security patches in this update, visit the Apple site.

Given the severity of the SSL bug it is highly recommended that you install this update as soon as possible, and delaying could leave your data vulnerable to being harvested. While there haven't been any credible reports of any criminals using this vulnerability, it's better to be safe than sorry.

Topics: Security

About

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology -- whether that be by learning to program, building a PC from a pile of parts, or helping them get the most from their new MP3 player or digital camera.Adrian has authored/co-authored technic... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.