Apple patches Secure Transport, but not because of Heartbleed
'Triple-handshake attack' threat quashed in update for OS X Mavericks and Mountain Lion, and iOS 7
Computerworld - Apple today issued a security-only update for OS X, patching 25 vulnerabilities in Mavericks, its newest operating system, and 7 bugs in older editions.
Tuesday's Security Update 2014-002 was unusual in that it patched numerous flaws but was not accompanied by a non-security refresh of Mavericks, as is Apple's custom in its support of the current Mac OS.
Along with the two-dozen-plus-one patches for Mavericks, the update also addressed two bugs in Lion and seven in Mountain Lion, the precursors to Mavericks which shipped in 2011 and 2012, respectively.
Apple has stopped shipping security updates for OS X Snow Leopard, the 2009 edition that powered 17% of all Macs last month.
Security Update 2014-002 contained patches for several run-of-the-mill vulnerabilities, a font parsing bug while viewing malformed PDFs here, an circumvention of the kernel's ASLR (Address Space Layout Randomization) anti-exploit defenses there, but the one that immediately stuck out was tagged as CVE-2014-1295.
"An attacker with a privileged network position may capture data or change the operations performed in sessions protected by SSL," read Apple's advisory for CVE-2014-1295, referring to Secure Sockets Layer, one of the standard means of encrypting Internet traffic between clients and site servers.
Although the vulnerability wasn't associated with the Heartbleed exploit -- the flaw in OpenSSL that has made headlines for the two weeks -- the mere mention of "SSL" in Apple's advisory was enough to instantly put the bug in the limelight.
Apple credited a trio of researchers with reporting the vulnerability -- Antoine Delignat-Lavaud, Karthikeyan Bhargavan and Alfredo Pironti -- who work with the Prosecco research team, which specializes in cryptography and is part of INRIA Paris-Rocquencourt, a national research center in France.
The three presented a paper on the flaw at a meeting of the Internet Engineering Task Force (IETF) last month.
"In a 'triple handshake' attack, it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker's data in one connection, and renegotiate so that the connections may be forwarded to each other," Apple conceded.
The Cupertino, Calif. company patched its Secure Transport -- Apple's name for its implementation of SSL and TLS (Transport Layer Security) -- in Mavericks and Mountain Lion. The bug did not affect Lion and earlier editions of the Mac operating system.
In a separate update, Apple also patched iOS's implementation of Secure Transport with iOS 7.1.1. The update fixed a number of other flaws, most of them in WebKit, the open-source browser engine that powers Safari.
Security Update 2014-002, an 80MB download for Mavericks, can be retrieved by selecting "Software Update..." from the Apple menu, or by opening the Mac App Store application and clicking the Update icon at the top right.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
- Apple updates OS X Yosemite public beta
- Even rivals are waiting for Apple to get into wearables
- Apple preps final non-security Mavericks update
- New Yosemite dev preview may herald public beta update later this week
- iPhone 5C's China bust raises questions about Apple's pricing for '14 models
- Mac sales so far in '14 may signal share push
- China scrubs Apple's iPad and MacBooks from government buying list
- Circle the date: Apple's iPhone 6 event slated for Sept. 9
- Stable Mac prices fuel reliable profit engine
- Apple unveils minor bumps to MacBook Pro laptops
Read more about Mac OS X in Computerworld's Mac OS X Topic Center.
- Troubleshooting Common Issues in VoIP Learn more about Voice over Internet Protocol (VoIP), including common VoIP metrics used, best practices in VoIP management and tips and tricks for...
- IDG Research Survey: Are you Paying Too Much for Your NMS? Feel like you're paying too much for network monitoring? You're not alone. This survey brief summarizes findings from research recently fielded by IDG...
- 2013 Network Management Software (NMS) Buyers Guide This white paper contains an independent comparison study of six different network management solutions and provides guidance on how you can choose the...
- Rightsizing Your Network Performance Management Solution: 4 Case Studies This white paper discusses challenges encountered as organizations search for the most cost-effective network performance management solution.
- Tips to Simplify Database Administration and Development Make your job easier while getting the most from the leading productivity tool for database professionals. Learn tips from Dell Software's Oracle® ACE,...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How... All Mac OS X White Papers | Webcasts