Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

Apple Patches Mavericks SSL Flaw: Update Now

Security update patches "goto fail" flaw that enables attackers to intercept communications, but won't help the 23% of Macs running older OS X.

Windows XP Shutdown: 10 Facts To Know
Windows XP Shutdown: 10 Facts To Know
(Click image for larger view and slideshow.)

Apple has released a patch for OS X to fix a critical "goto fail" SSL flaw that attackers could use to eavesdrop on a target's communications, including everything from emails and address book appointments to FaceTime video chats and Find My Mac tracking information.

"The bug was caused by a line of C code that says 'goto fail,' which was a self-descriptive irony too amusing to ignore," said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a blog post.

Apple's security update fixes that "SSL connection verification" flaw -- as the technology giant instead labeled it -- in OS X Mavericks 10.9 and 10.9.1, as well as a number of other security problems. Meanwhile, the company also issued security updates for OS X Lion v10.7.5, OS X Mountain Lion v10.8.5, and OS X Lion Server 10.7.5, although none of them are reportedly vulnerable to the goto-fail bug.

Those operating systems also received a patch for Apple's web browser in the form of Safari 6.1.2 and Safari 7.0.2. According to Apple, the patch addresses "multiple memory corruption issues" in the WebKit software on which Safari is based, and which an attacker could exploit by tricking a user into visiting a malicious website.

[More than 90% of enterprises support iOS devices, but does that mean they like it? Learn Why Apple Is IT's Arch Frenemy.]

For Mavericks, the new fix comes in the form of a relatively massive 859.7-MB OS X Mavericks 10.9.2. Update, which builds in a number of other features, including call-waiting support for FaceTime, the ability to make audio-only FaceTime calls, as well as a variety of email, VPN, audio, and other fixes.

Those updates follow Apple's Friday release of an SSL patch for iOS, which updates the iPhone 4 (and newer), iPad 2 (and newer), and iPod Touch (5th generation).

While the new OS X security patches are good news, they leave about one-quarter of Apple users out in the cold. According to Net Market Share, as of January 2014, while 42% of Apple OS X users were on 10.9, 19% on 10.8, and 16% on 10.7, a fair number still use 10.6 (19%), and even 10.5 (4%).

Unlike Microsoft, Apple -- which has promised to begin issuing major operating system updates on an annual basis -- has published no official policy detailing how long it will support older operating systems. Apple's Monday updates continued the company's December decision to stop supporting OS X 10.6, a.k.a. Snow Leopard. As a result, anyone who's using OS X 10.6 -- or older -- is now vulnerable to a number of known security flaws.

Needless to say, anyone using a still-supported version of Apple OS X should install the new security fixes as soon as possible, and especially if they're on Mavericks, because of the goto-fail flaw. "With the right preparation, an attacker who misdirected your attempts to visit, say, 'https://secure.example/' could have exploited the goto fail to trick you into visiting an impostor site without any tell-tale HTTPS certificate warnings popping up," said Ducklin. "The 10.9.2 update, then, is one you ought to apply right away."

Ducklin added that Apple's security update should serve as a lesson for anyone still using Windows XP come April, after Microsoft ceases to support the aging operating system. "A patch for iOS turned into sort of 'attack beacon' that quickly led researchers to an identical but unpatched bug in OS X. The two products share lots of source code, so an injury to one is frequently an injury to all," he said. "This is the same sort of problem that will plague Windows XP when XP's final security patch is shipped in April 2014. Patches for Windows 7 and Windows 8 might lead researchers to an identical but unpatched bug in Windows XP."

Come April, Microsoft will no longer support XP, meaning that no matter which newer Windows security flaws trickle down to XP, no related fixes will be forthcoming.

Having a wealth of data is a good thing -- if you can make sense of it. Most companies are challenged with aggregating and analyzing the plethora of data being generated by their security applications and devices. This Dark Reading report, How Existing Security Data Can Help ID Potential Attacks, recommends how to effectively leverage security data in order to make informed decisions and spot areas of vulnerability. (Free registration required.)

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
2/26/2014 | 5:06:56 PM
responsiveness
Apple has been criticized for years in the security community for acting too slowly and without adequate transparency. Has anything changed?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14174
PUBLISHED: 2020-07-13
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References (IDOR) vulnerability in the Administration Permission Helper. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5....
CVE-2019-20901
PUBLISHED: 2020-07-13
The login.jsp resource in Jira before version 8.5.2, and from version 8.6.0 before version 8.6.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect in the os_destination parameter.
CVE-2019-20898
PUBLISHED: 2020-07-13
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. The affected versions are before version 8.8.0.
CVE-2019-20899
PUBLISHED: 2020-07-13
The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1.
CVE-2019-20900
PUBLISHED: 2020-07-13
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the Add Field module. The affected versions are before version 8.7.0.