Apple patches Secure Transport, but not because of Heartbleed
'Triple-handshake attack' threat quashed in update for OS X Mavericks and Mountain Lion, and iOS 7
Computerworld - Apple today issued a security-only update for OS X, patching 25 vulnerabilities in Mavericks, its newest operating system, and 7 bugs in older editions.
Tuesday's Security Update 2014-002 was unusual in that it patched numerous flaws but was not accompanied by a non-security refresh of Mavericks, as is Apple's custom in its support of the current Mac OS.
Along with the two-dozen-plus-one patches for Mavericks, the update also addressed two bugs in Lion and seven in Mountain Lion, the precursors to Mavericks which shipped in 2011 and 2012, respectively.
Apple has stopped shipping security updates for OS X Snow Leopard, the 2009 edition that powered 17% of all Macs last month.
Security Update 2014-002 contained patches for several run-of-the-mill vulnerabilities, a font parsing bug while viewing malformed PDFs here, an circumvention of the kernel's ASLR (Address Space Layout Randomization) anti-exploit defenses there, but the one that immediately stuck out was tagged as CVE-2014-1295.
"An attacker with a privileged network position may capture data or change the operations performed in sessions protected by SSL," read Apple's advisory for CVE-2014-1295, referring to Secure Sockets Layer, one of the standard means of encrypting Internet traffic between clients and site servers.
Although the vulnerability wasn't associated with the Heartbleed exploit -- the flaw in OpenSSL that has made headlines for the two weeks -- the mere mention of "SSL" in Apple's advisory was enough to instantly put the bug in the limelight.
Apple credited a trio of researchers with reporting the vulnerability -- Antoine Delignat-Lavaud, Karthikeyan Bhargavan and Alfredo Pironti -- who work with the Prosecco research team, which specializes in cryptography and is part of INRIA Paris-Rocquencourt, a national research center in France.
The three presented a paper on the flaw at a meeting of the Internet Engineering Task Force (IETF) last month.
"In a 'triple handshake' attack, it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker's data in one connection, and renegotiate so that the connections may be forwarded to each other," Apple conceded.
The Cupertino, Calif. company patched its Secure Transport -- Apple's name for its implementation of SSL and TLS (Transport Layer Security) -- in Mavericks and Mountain Lion. The bug did not affect Lion and earlier editions of the Mac operating system.
In a separate update, Apple also patched iOS's implementation of Secure Transport with iOS 7.1.1. The update fixed a number of other flaws, most of them in WebKit, the open-source browser engine that powers Safari.
Security Update 2014-002, an 80MB download for Mavericks, can be retrieved by selecting "Software Update..." from the Apple menu, or by opening the Mac App Store application and clicking the Update icon at the top right.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
- Apple unveils minor bumps to MacBook Pro laptops
- Feds arrest Florida man who allegedly conned Apple out of $309K
- Yosemite's traffic share triples after public beta debuts
- Apple hasn't exhausted its supply of Yosemite betas
- 13 pieces of advice for Yosemite beta testers
- The other Apple economy: $2B in devices on eBay
- Apple sends users scrambling for OS X Yosemite
- Long replacement cycle drags down iPad sales
- Apple unwraps OS X Yosemite public beta Thursday
- Apple grows Mac sales by 18% on the back of the MacBook Air
Read more about Mac OS X in Computerworld's Mac OS X Topic Center.
- Mission Critical: Managing Mobile Applications & Content Smartphones, tablets and other mobile devices have become embedded in enterprise processes, thanks to the consumerization of IT and a new generation of...
- Securing Mobility, From Device to Network At one time, the process of managing and securing mobile devices and applications was fairly straightforward. Most organizations worried about one application (email)...
- Planning for Mobile Success Many organizations are seeing clear and quantifiable benefits from the deployment of mobile technologies that provide access to data and applications any time,...
- The Challenges and Opportunities of Mobile Application Development Nearly all business users now demand mobile devices--their own or company-owned--along with anywhere access to corporate applications and data. What turns mobile devices...
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily...
- On Demand: Mastering the Art of Mobile Content Management Mobile device usage in the enterprise has skyrocketed, and it continues to escalate. IT must answer to users who demand access to their... All Mac OS X White Papers | Webcasts