Application Security
2/26/2014
12:02 PM
50%
50%

Apple Patches Mavericks SSL Flaw: Update Now

Security update patches "goto fail" flaw that enables attackers to intercept communications, but won't help the 23% of Macs running older OS X.

Windows XP Shutdown: 10 Facts To Know
Windows XP Shutdown: 10 Facts To Know
(Click image for larger view and slideshow.)

Apple has released a patch for OS X to fix a critical "goto fail" SSL flaw that attackers could use to eavesdrop on a target's communications, including everything from emails and address book appointments to FaceTime video chats and Find My Mac tracking information.

"The bug was caused by a line of C code that says 'goto fail,' which was a self-descriptive irony too amusing to ignore," said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a blog post.

Apple's security update fixes that "SSL connection verification" flaw -- as the technology giant instead labeled it -- in OS X Mavericks 10.9 and 10.9.1, as well as a number of other security problems. Meanwhile, the company also issued security updates for OS X Lion v10.7.5, OS X Mountain Lion v10.8.5, and OS X Lion Server 10.7.5, although none of them are reportedly vulnerable to the goto-fail bug.

Those operating systems also received a patch for Apple's web browser in the form of Safari 6.1.2 and Safari 7.0.2. According to Apple, the patch addresses "multiple memory corruption issues" in the WebKit software on which Safari is based, and which an attacker could exploit by tricking a user into visiting a malicious website.

[More than 90% of enterprises support iOS devices, but does that mean they like it? Learn Why Apple Is IT's Arch Frenemy.]

For Mavericks, the new fix comes in the form of a relatively massive 859.7-MB OS X Mavericks 10.9.2. Update, which builds in a number of other features, including call-waiting support for FaceTime, the ability to make audio-only FaceTime calls, as well as a variety of email, VPN, audio, and other fixes.

Those updates follow Apple's Friday release of an SSL patch for iOS, which updates the iPhone 4 (and newer), iPad 2 (and newer), and iPod Touch (5th generation).

While the new OS X security patches are good news, they leave about one-quarter of Apple users out in the cold. According to Net Market Share, as of January 2014, while 42% of Apple OS X users were on 10.9, 19% on 10.8, and 16% on 10.7, a fair number still use 10.6 (19%), and even 10.5 (4%).

Unlike Microsoft, Apple -- which has promised to begin issuing major operating system updates on an annual basis -- has published no official policy detailing how long it will support older operating systems. Apple's Monday updates continued the company's December decision to stop supporting OS X 10.6, a.k.a. Snow Leopard. As a result, anyone who's using OS X 10.6 -- or older -- is now vulnerable to a number of known security flaws.

Needless to say, anyone using a still-supported version of Apple OS X should install the new security fixes as soon as possible, and especially if they're on Mavericks, because of the goto-fail flaw. "With the right preparation, an attacker who misdirected your attempts to visit, say, 'https://secure.example/' could have exploited the goto fail to trick you into visiting an impostor site without any tell-tale HTTPS certificate warnings popping up," said Ducklin. "The 10.9.2 update, then, is one you ought to apply right away."

Ducklin added that Apple's security update should serve as a lesson for anyone still using Windows XP come April, after Microsoft ceases to support the aging operating system. "A patch for iOS turned into sort of 'attack beacon' that quickly led researchers to an identical but unpatched bug in OS X. The two products share lots of source code, so an injury to one is frequently an injury to all," he said. "This is the same sort of problem that will plague Windows XP when XP's final security patch is shipped in April 2014. Patches for Windows 7 and Windows 8 might lead researchers to an identical but unpatched bug in Windows XP."

Come April, Microsoft will no longer support XP, meaning that no matter which newer Windows security flaws trickle down to XP, no related fixes will be forthcoming.

Having a wealth of data is a good thing -- if you can make sense of it. Most companies are challenged with aggregating and analyzing the plethora of data being generated by their security applications and devices. This Dark Reading report, How Existing Security Data Can Help ID Potential Attacks, recommends how to effectively leverage security data in order to make informed decisions and spot areas of vulnerability. (Free registration required.)

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
2/26/2014 | 5:06:56 PM
responsiveness
Apple has been criticized for years in the security community for acting too slowly and without adequate transparency. Has anything changed?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
DevOps’ Impact on Application Security
DevOps’ Impact on Application Security
Managing the interdependency between software and infrastructure is a thorny challenge. Often, it’s a “developers are from Mars, systems engineers are from Venus” situation.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8917
Published: 2015-01-28
Multiple cross-site scripting (XSS) vulnerabilities in (1) dojox/form/resources/uploader.swf (aka upload.swf), (2) dojox/form/resources/fileuploader.swf (aka fileupload.swf), (3) dojox/av/resources/audio.swf, and (4) dojox/av/resources/video.swf in the IBM Dojo Toolkit, as used in IBM Social Media A...

CVE-2014-8920
Published: 2015-01-28
Buffer overflow in the Data Transfer Program in IBM i Access 5770-XE1 5R4, 6.1, and 7.1 on Windows allows local users to gain privileges via unspecified vectors.

CVE-2015-0235
Published: 2015-01-28
Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."

CVE-2015-0312
Published: 2015-01-28
Double free vulnerability in Adobe Flash Player before 13.0.0.264 and 14.x through 16.x before 16.0.0.296 on Windows and OS X and before 11.2.202.440 on Linux allows attackers to execute arbitrary code via unspecified vectors.

CVE-2015-0581
Published: 2015-01-28
The XML parser in Cisco Prime Service Catalog before 10.1 allows remote authenticated users to read arbitrary files or cause a denial of service (CPU and memory consumption) via an external entity declaration in conjunction with an entity reference, as demonstrated by reading private keys, related t...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.