Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

Apple Patches Mavericks SSL Flaw: Update Now

Security update patches "goto fail" flaw that enables attackers to intercept communications, but won't help the 23% of Macs running older OS X.

Windows XP Shutdown: 10 Facts To Know
Windows XP Shutdown: 10 Facts To Know
(Click image for larger view and slideshow.)

Apple has released a patch for OS X to fix a critical "goto fail" SSL flaw that attackers could use to eavesdrop on a target's communications, including everything from emails and address book appointments to FaceTime video chats and Find My Mac tracking information.

"The bug was caused by a line of C code that says 'goto fail,' which was a self-descriptive irony too amusing to ignore," said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a blog post.

Apple's security update fixes that "SSL connection verification" flaw -- as the technology giant instead labeled it -- in OS X Mavericks 10.9 and 10.9.1, as well as a number of other security problems. Meanwhile, the company also issued security updates for OS X Lion v10.7.5, OS X Mountain Lion v10.8.5, and OS X Lion Server 10.7.5, although none of them are reportedly vulnerable to the goto-fail bug.

Those operating systems also received a patch for Apple's web browser in the form of Safari 6.1.2 and Safari 7.0.2. According to Apple, the patch addresses "multiple memory corruption issues" in the WebKit software on which Safari is based, and which an attacker could exploit by tricking a user into visiting a malicious website.

[More than 90% of enterprises support iOS devices, but does that mean they like it? Learn Why Apple Is IT's Arch Frenemy.]

For Mavericks, the new fix comes in the form of a relatively massive 859.7-MB OS X Mavericks 10.9.2. Update, which builds in a number of other features, including call-waiting support for FaceTime, the ability to make audio-only FaceTime calls, as well as a variety of email, VPN, audio, and other fixes.

Those updates follow Apple's Friday release of an SSL patch for iOS, which updates the iPhone 4 (and newer), iPad 2 (and newer), and iPod Touch (5th generation).

While the new OS X security patches are good news, they leave about one-quarter of Apple users out in the cold. According to Net Market Share, as of January 2014, while 42% of Apple OS X users were on 10.9, 19% on 10.8, and 16% on 10.7, a fair number still use 10.6 (19%), and even 10.5 (4%).

Unlike Microsoft, Apple -- which has promised to begin issuing major operating system updates on an annual basis -- has published no official policy detailing how long it will support older operating systems. Apple's Monday updates continued the company's December decision to stop supporting OS X 10.6, a.k.a. Snow Leopard. As a result, anyone who's using OS X 10.6 -- or older -- is now vulnerable to a number of known security flaws.

Needless to say, anyone using a still-supported version of Apple OS X should install the new security fixes as soon as possible, and especially if they're on Mavericks, because of the goto-fail flaw. "With the right preparation, an attacker who misdirected your attempts to visit, say, 'https://secure.example/' could have exploited the goto fail to trick you into visiting an impostor site without any tell-tale HTTPS certificate warnings popping up," said Ducklin. "The 10.9.2 update, then, is one you ought to apply right away."

Ducklin added that Apple's security update should serve as a lesson for anyone still using Windows XP come April, after Microsoft ceases to support the aging operating system. "A patch for iOS turned into sort of 'attack beacon' that quickly led researchers to an identical but unpatched bug in OS X. The two products share lots of source code, so an injury to one is frequently an injury to all," he said. "This is the same sort of problem that will plague Windows XP when XP's final security patch is shipped in April 2014. Patches for Windows 7 and Windows 8 might lead researchers to an identical but unpatched bug in Windows XP."

Come April, Microsoft will no longer support XP, meaning that no matter which newer Windows security flaws trickle down to XP, no related fixes will be forthcoming.

Having a wealth of data is a good thing -- if you can make sense of it. Most companies are challenged with aggregating and analyzing the plethora of data being generated by their security applications and devices. This Dark Reading report, How Existing Security Data Can Help ID Potential Attacks, recommends how to effectively leverage security data in order to make informed decisions and spot areas of vulnerability. (Free registration required.)

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
//Comments
Oldest First  |  Newest First  |  Threaded View
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
2/26/2014 | 5:06:56 PM
responsiveness
Apple has been criticized for years in the security community for acting too slowly and without adequate transparency. Has anything changed?
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-42247
PUBLISHED: 2022-10-03
pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a file name.
CVE-2022-41443
PUBLISHED: 2022-10-03
phpipam v1.5.0 was discovered to contain a header injection vulnerability via the component /admin/subnets/ripe-query.php.
CVE-2022-33882
PUBLISHED: 2022-10-03
Under certain conditions, an attacker could create an unintended sphere of control through a vulnerability present in file delete operation in Autodesk desktop app (ADA). An attacker could leverage this vulnerability to escalate privileges and execute arbitrary code.
CVE-2022-42306
PUBLISHED: 2022-10-03
An issue was discovered in Veritas NetBackup through 8.2 and related Veritas products. An attacker with local access can send a crafted packet to pbx_exchange during registration and cause a NULL pointer exception, effectively crashing the pbx_exchange process.
CVE-2022-42307
PUBLISHED: 2022-10-03
An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. The NetBackup Primary server is vulnerable to an XML External Entity (XXE) Injection attack through the DiscoveryService service.