Keeping to its promise of delivering a fix for the major SSL security flaw “very soon“, Apple has released OS X 10.9.2, which addresses the bug that took the form of a single line of errant code that “allowed an attacker to bypass SSL/TLS verification routines and left users of Mavericks vulnerable to a so-called man-in-the-middle” according to MacRumors.
A similar patch addressing the same issue in iOS 6 and 7 was released earlier in the week.
The vulnerability was inadvertently introduced in 2012 and therefore only affects Macs running 10.9, leaving Lion and Mountain Lion users unaffected, although Apple has released security updates for both of those operating systems too.
- Security Update 2014–001 (Mountain Lion) (115.8 MB)
- Security Update 2014–001 (Lion) (123.40 MB)
- Security Update 2014–001 Server (Lion) (173.60 MB)
The seriousness of the issue is emphasised by just how quickly Apple released both the iOS and now OS X patches for the flaw.
The 10.9.2 update also has a bunch of other features including the ability to make and receive FaceTime audio calls (which was also a feature of the iOS update a couple of days ago).
Other fixes and upgrades revolve around mail and Safari, as well as a fix to an issue that “may case audio distortion on certain Macs”. The full list of features and fixes is below.
All users of Mavericks are strongly recommended to update their systems as soon as possible in order to disable the vulnerability.
The update is not before time. A report on Apps Gone Free yesterday detailed how one New Zealand security consultant had already developed a proof of concept for the actively open OS X exploit.
Nullcube’s Aldo Cortesi blogged about his action, confirming that in just 24 hours he was able to take advantage of the open hole in OS X Mavericks.
“I’ve confirmed full transparent interception of HTTPS traffic on both iOS (prior to 7.0.6) and OSX Mavericks,” he wrote. “Nearly all encrypted traffic, including usernames, passwords, and even Apple app updates can be captured.”
He then promised not to release the proof of concept to the public “until well after Apple has deployed its patch for OS X”.
Thankfully, that patch is now available and Mavericks users everywhere can breathe a sigh of relief.