Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

Apple Patches Mavericks SSL Flaw: Update Now

Security update patches "goto fail" flaw that enables attackers to intercept communications, but won't help the 23% of Macs running older OS X.

Windows XP Shutdown: 10 Facts To Know
Windows XP Shutdown: 10 Facts To Know
(Click image for larger view and slideshow.)

Apple has released a patch for OS X to fix a critical "goto fail" SSL flaw that attackers could use to eavesdrop on a target's communications, including everything from emails and address book appointments to FaceTime video chats and Find My Mac tracking information.

"The bug was caused by a line of C code that says 'goto fail,' which was a self-descriptive irony too amusing to ignore," said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a blog post.

Apple's security update fixes that "SSL connection verification" flaw -- as the technology giant instead labeled it -- in OS X Mavericks 10.9 and 10.9.1, as well as a number of other security problems. Meanwhile, the company also issued security updates for OS X Lion v10.7.5, OS X Mountain Lion v10.8.5, and OS X Lion Server 10.7.5, although none of them are reportedly vulnerable to the goto-fail bug.

Those operating systems also received a patch for Apple's web browser in the form of Safari 6.1.2 and Safari 7.0.2. According to Apple, the patch addresses "multiple memory corruption issues" in the WebKit software on which Safari is based, and which an attacker could exploit by tricking a user into visiting a malicious website.

[More than 90% of enterprises support iOS devices, but does that mean they like it? Learn Why Apple Is IT's Arch Frenemy.]

For Mavericks, the new fix comes in the form of a relatively massive 859.7-MB OS X Mavericks 10.9.2. Update, which builds in a number of other features, including call-waiting support for FaceTime, the ability to make audio-only FaceTime calls, as well as a variety of email, VPN, audio, and other fixes.

Those updates follow Apple's Friday release of an SSL patch for iOS, which updates the iPhone 4 (and newer), iPad 2 (and newer), and iPod Touch (5th generation).

While the new OS X security patches are good news, they leave about one-quarter of Apple users out in the cold. According to Net Market Share, as of January 2014, while 42% of Apple OS X users were on 10.9, 19% on 10.8, and 16% on 10.7, a fair number still use 10.6 (19%), and even 10.5 (4%).

Unlike Microsoft, Apple -- which has promised to begin issuing major operating system updates on an annual basis -- has published no official policy detailing how long it will support older operating systems. Apple's Monday updates continued the company's December decision to stop supporting OS X 10.6, a.k.a. Snow Leopard. As a result, anyone who's using OS X 10.6 -- or older -- is now vulnerable to a number of known security flaws.

Needless to say, anyone using a still-supported version of Apple OS X should install the new security fixes as soon as possible, and especially if they're on Mavericks, because of the goto-fail flaw. "With the right preparation, an attacker who misdirected your attempts to visit, say, 'https://secure.example/' could have exploited the goto fail to trick you into visiting an impostor site without any tell-tale HTTPS certificate warnings popping up," said Ducklin. "The 10.9.2 update, then, is one you ought to apply right away."

Ducklin added that Apple's security update should serve as a lesson for anyone still using Windows XP come April, after Microsoft ceases to support the aging operating system. "A patch for iOS turned into sort of 'attack beacon' that quickly led researchers to an identical but unpatched bug in OS X. The two products share lots of source code, so an injury to one is frequently an injury to all," he said. "This is the same sort of problem that will plague Windows XP when XP's final security patch is shipped in April 2014. Patches for Windows 7 and Windows 8 might lead researchers to an identical but unpatched bug in Windows XP."

Come April, Microsoft will no longer support XP, meaning that no matter which newer Windows security flaws trickle down to XP, no related fixes will be forthcoming.

Having a wealth of data is a good thing -- if you can make sense of it. Most companies are challenged with aggregating and analyzing the plethora of data being generated by their security applications and devices. This Dark Reading report, How Existing Security Data Can Help ID Potential Attacks, recommends how to effectively leverage security data in order to make informed decisions and spot areas of vulnerability. (Free registration required.)

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
2/26/2014 | 5:06:56 PM
responsiveness
Apple has been criticized for years in the security community for acting too slowly and without adequate transparency. Has anything changed?
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...