Apple patches critical 'gotofail' bug with Mavericks update
Ships OS X 10.9.2 with nearly three-dozen security fixes; adds FaceTime audio calls
Computerworld - Apple today updated OX Mavericks, plugging the embarrassing security hole the Cupertino, Calif. company left wide open in the operating system's implementation of basic Internet encryption.
Mac users running Mavericks should update as soon as possible, as exploit code has already begun circulating on the Internet.
OS X 10.9.2, which weighed in at between 460MB and 860MB for the download, patched the vulnerability, according to tests conducted by Computerworld using the gotofail.com website, which indicated that Safari was again secure.
The update, the first since mid-December, patched 32 other vulnerabilities in various versions of OS X, including six in QuickTime, Apple's media player, and more disturbing, four bugs that could be used by attackers to bypass the application "sandbox," an isolation technology designed to minimize damage when malware does make it onto a Mac.
But CVE-2014-1266, the identifier for the bug in Mavericks' handling of SSL (secure socket layer) and TLS (transport layer security), was the one that stood out. Those protocols create an encrypted connection between a personal computer and a server -- such as one at Amazon.com -- so that snoopers cannot read the traffic and extract information like credit card numbers or log-in credentials.
The flaw had been dubbed the "gotofail" bug because Apple left an extraneous "goto" command in the code that validated SSL certificates, a monumental oversight that many security experts blasted Apple for not catching during development and testing, or in the 16 months since the release of iOS 6, where it first appeared.
Apple took heat for the delay in patching Mavericks; it issued updates for iOS 6 and iOS 7 on Feb. 21 that plugged the gotofail hole.
"How difficult is it to release for OS X?" asked Andrew Storms, director of DevOps at security firm CloudPassage, in an interview yesterday. "Shouldn't it have been out an hour later?"
Storms defended his criticism, and that of other security professionals. "We all know what happens. Whenever patches don't appear simultaneously, attackers mine it in one version for others. It's the gateway for finding the bug," Storms said.
In a separate security-only update, Apple patched four vulnerabilities in 2012's Safari 6, pushing the version number to 6.1.2. Safari 6 is the most current edition of Apple's browser for OS X 10.7, aka Lion, and OS X 10.8, or Mountain Lion. Those flaws were also fixed in Safari 7, taking it up to 7.0.2, for Mavericks, which was included with the 10.9.2 update.
Along with the vulnerability patches in OS X 10.9.2, Apple also provided several non-security fixes to deal with reliability, stability and performance issues, as well as a few that beefed up some integrated features and tools.
Mac users can now make and take audio-only calls using FaceTime, OS X's built-in video conferencing software, and block incoming iMessages from individual users. iMessages is the Mac's integrated chat and texting client that lets users bypass carriers' SMS fees when sending and receiving messages to and from iOS and OS X devices.
OS X 10.9.2 addressed other problems as well, resolving one that prevented Mail from receiving some email messages; fixing another that erratically disconnected VPN (virtual private network) connections, which are often used by workers to connect to their businesses' networks; and tackling two related to how Mail handled Google Gmail mailboxes and message labels.
Apple posted a longer list of 10.9.2's contents on its website.
OS X 10.9.2 and Safari 6.1.2 can be retrieved by selecting "Software Update..." from the Apple menu, or by opening the Mac App Store application and clicking the Update icon at the top right. Mavericks 10.9.2 can also be downloaded manually from Apple's support site.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org..
- Apple users were left at risk by 3-week delay between OS X and iOS patches
- As iPad sales slump, Cook hijacks analysts' fast-uptake explanation
- Apple defies PC downturn again, boosts Mac sales
- Tim Cook to Microsoft: Better late than never for Office on iPad
- Apple kicks off public OS X beta testing
- Apple patches Secure Transport, but not because of Heartbleed
- Apple customers downsize iPhone, iPad storage in March quarter
- Free OS X Mavericks now powers half of all Macs
- Apple has bigger plans than just song ID with Shazam deal
- Mac Pro shortage sets record as worst Mac production debacle
Read more about Security in Computerworld's Security Topic Center.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Neustar 2014 DDoS Attacks and Impact Report For the third consecutive year, Neustar surveyed hundreds of companies on distributed denial of service (DDoS) attacks. The survey reveals evidence that the...
- Acxiom Case Study This case study, which focuses on Acxiom, explores how the company was able to secure employee data, reduce migration costs and boost productivity...
- Windows® XP Migration: Protect and Secure Critical Data With the end of the Microsoft Windows XP operating system's lifecycle on April 8, 2014, businesses are faced with the decision to migrate...
- Enhancing Application Protection and Recovery with a Modern Approach to Snapshot Management This CommVault Business Value and Technology White Paper explains how Simpana IntelliSnap® Recovery Manager can make your application recovery fast and reliable.
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts