Although most users have likely installed OS X 10.9.2 by now, after its release late last month, Apple is providing a reminder to those who haven’t.
Laggards like myself who are still running OS X 10.9.1 have begun to see notifications like the one below over the past day, pushing the critical update which included a fix for the well-publicized SSL bug found in both iOS 7 and OS X Mavericks.
Following an extensive developer beta process, Apple has just released OS X Mavericks 10.9.2 to end users. The update brings a few new features and enhancements, including:
FaceTime Audio in the FaceTime and Messages apps
Contact blocking for FaceTime and iMessage
Mail app improvements
Autofill fixes for Safari
Audio fixes
VPN fixes
VoiceOver fixes
The release notes do not make mention of the SSL security bug that was squashed on iOS late last week, but a fix is present in this new OS X update. The update is available on the Mac App Store in the Software Update tab.
Yesterday Apple released iOS update 7.0.6 alongside new builds for iOS 6 and Apple TV that it said provided “a fix for SSL connection verification.” While Apple didn’t provide much specific information on the bug, it wasn’t long before the answer was at the top of Hacker News. It turns out that minor security fix was actually a major flaw that could in theory allow attackers to intercept communications between affected browsers and just about any SSL-protected site. Not only that, but the bug is also present in current builds of OS X that Apple has yet to release a security patch for.
Researchers from CrowdStrike described the bug in a report:
“To pull off the attack an adversary has to be able to Man-in-The-Middle (MitM) network connections, which can be done if they are present on the same wired or wireless network as the victim. Due to a flaw in authentication logic on iOS and OS X platforms, an attacker can bypass SSL/TLS verification routines upon the initial connection handshake. This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of your system),”
Adam Langley, a senior software engineer at Google, also wrote about the flaw on his blog ImperialViolet and created a test site to check if you have the bug (pictured above): Expand Expanding Close
Following last week’s build, Apple has seeded a new build of OS X Mavericks 10.9.2 to developers. These builds are relatively minor at this point, and point to a near-shipping build of 10.9.2 for the general public. Apple will be bringing FaceTime Audio and iMessage/FaceTime blocking in 10.9.2.
