Mac OS X 10.9 SSL Security Bug: 5 Fast Facts You Need to Know

Mac OS X SSL Security Bug, os x 10.9 ssl bug, os x security flaw, os x 10.9 security patch


IF you use Mac OS X 10.9, there’s a SSL security bug that you definitely need to know about. Here’s what we know so far about this developing story.

UPDATE: Apple has released OS X Mavericks 10.9.2. 9to5Mac notes:

“The release notes do not make mention of the SSL security bug that was squashed on iOS late last week, but a fix is present in this new OS X update. The update is available on the Mac App Store in the Software Update tab.”

1. The SSL Vulnerability Is in Mac OS X 10.9.1

Mac OS X 10.9.1 has an SSL security vulnerability that could be problematic for some users.

The Register sums up the situation pretty neatly:

“Apple has admitted a bug in Mac OS X 10.9.1 allows hackers to intercept and decrypt SSL-encrypted connections – and has vowed to release a fix ‘very soon.’

Sensitive information, such as bank card numbers and account passwords, sent over HTTPS, IMAPS and other SSL-protected channels from vulnerable Mac computers could easily end up in the hands of snoopers as a result of this security hole…

Apple’s Safari web browser and Mail client running on OS X 10.9.1 are vulnerable to SSL snoopers because they rely on the broken crypto-library; other Cupertino apps such as Facetime and iMessage, and third-party programs using Apple’s crocked code, are all faulty as well. Google Chrome and Mozilla Firefox are not vulnerable because they don’t use the busted SSL library.”

2. The OS X Bug Is Related to the Recent iOS Security Update

Apple released a minor update to iOS 7 last Friday, the 21st of February.

It is now being reported that the iOS security update is related to the issue in OS X 10.9.1. While the iOS patch has fixed the problem on mobile, not everyone has gotten the OS X patch yet.

Threatpost writes that:

“The certificate-validation vulnerability that Apple patched in iOS yesterday also affected Mac OS X up to 10.9.1, the current version…Some users are reporting that Apple is rolling out a patch for his vulnerability in OS X, but it has not shown up for all users as yet.”

Share it.

Share Tweet Email

3. The Bug’s Cause Was Simple to Pinpoint

Wired writes that this security issue was caused by “a single bad Goto” command.

Wired notes:

“Some software bugs are infinitely subtle and complicated. Others are comprehensible almost at a glance to anyone who dabbled in BASIC as a kid. The iOS 7 bug is in the latter group.”

People are using the hashtag #gotofail on Twitter to talk about this bug.

4. Business Pros Should Exercise Caution

Search Security has advised readers in the business community to use caution going forward. They quote an expert who advises, “This bug makes SSL worthless if an attacker is on the same network as you.”

They add:

“Until an OS X patch becomes available, experts say enterprises should encourage users to avoid using OS X devices on public networks or other networks where communications are likely to be intercepted.”

5. Fixes Are Coming

Threatpost linked to a “test site” that would tell users if their computer was vulnerable. However, at press time, the link was not working consistently. You can try the test site here.

There is a second test site as well, which can be accessed here. This link was working just fine at press time.

Alternatively, you can check your Mac to see if there is an OS X update ready for you now. As mentioned above, Apple is working on a fix that will be released soon. When that OS X update comes through, PC Mag has some tips on installing it:

“The updates should be applied while on a trusted network, and users should really avoid accessing secure sites while on untrusted networks (especially Wi-Fi) while traveling…”

Comment Here
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x