Apple has released a patch for OS X to fix a critical "goto fail" SSL flaw that attackers could use to eavesdrop on a target's communications, including everything from emails and address book appointments to FaceTime video chats and Find My Mac tracking information.
"The bug was caused by a line of C code that says 'goto fail,' which was a self-descriptive irony too amusing to ignore," said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a blog post.
Apple's security update fixes that "SSL connection verification" flaw -- as the technology giant instead labeled it -- in OS X Mavericks 10.9 and 10.9.1, as well as a number of other security problems. Meanwhile, the company also issued security updates for OS X Lion v10.7.5, OS X Mountain Lion v10.8.5, and OS X Lion Server 10.7.5, although none of them are reportedly vulnerable to the goto-fail bug.
Those operating systems also received a patch for Apple's web browser in the form of Safari 6.1.2 and Safari 7.0.2. According to Apple, the patch addresses "multiple memory corruption issues" in the WebKit software on which Safari is based, and which an attacker could exploit by tricking a user into visiting a malicious website.
[More than 90% of enterprises support iOS devices, but does that mean they like it? Learn Why Apple Is IT's Arch Frenemy.]
For Mavericks, the new fix comes in the form of a relatively massive 859.7-MB OS X Mavericks 10.9.2. Update, which builds in a number of other features, including call-waiting support for FaceTime, the ability to make audio-only FaceTime calls, as well as a variety of email, VPN, audio, and other fixes.
Those updates follow Apple's Friday release of an SSL patch for iOS, which updates the iPhone 4 (and newer), iPad 2 (and newer), and iPod Touch (5th generation).
While the new OS X security patches are good news, they leave about one-quarter of Apple users out in the cold. According to Net Market Share, as of January 2014, while 42% of Apple OS X users were on 10.9, 19% on 10.8, and 16% on 10.7, a fair number still use 10.6 (19%), and even 10.5 (4%).
Unlike Microsoft, Apple -- which has promised to begin issuing major operating system updates on an annual basis -- has published no official policy detailing how long it will support older operating systems. Apple's Monday updates continued the company's December decision to stop supporting OS X 10.6, a.k.a. Snow Leopard. As a result, anyone who's using OS X 10.6 -- or older -- is now vulnerable to a number of known security flaws.
Needless to say, anyone using a still-supported version of Apple OS X should install the new security fixes as soon as possible, and especially if they're on Mavericks, because of the goto-fail flaw. "With the right preparation, an attacker who misdirected your attempts to visit, say, 'https://secure.example/' could have exploited the goto fail to trick you into visiting an impostor site without any tell-tale HTTPS certificate warnings popping up," said Ducklin. "The 10.9.2 update, then, is one you ought to apply right away."
Ducklin added that Apple's security update should serve as a lesson for anyone still using Windows XP come April, after Microsoft ceases to support the aging operating system. "A patch for iOS turned into sort of 'attack beacon' that quickly led researchers to an identical but unpatched bug in OS X. The two products share lots of source code, so an injury to one is frequently an injury to all," he said. "This is the same sort of problem that will plague Windows XP when XP's final security patch is shipped in April 2014. Patches for Windows 7 and Windows 8 might lead researchers to an identical but unpatched bug in Windows XP."
Come April, Microsoft will no longer support XP, meaning that no matter which newer Windows security flaws trickle down to XP, no related fixes will be forthcoming.
Having a wealth of data is a good thing -- if you can make sense of it. Most companies are challenged with aggregating and analyzing the plethora of data being generated by their security applications and devices. This Dark Reading report, How Existing Security Data Can Help ID Potential Attacks, recommends how to effectively leverage security data in order to make informed decisions and spot areas of vulnerability. (Free registration required.)Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio