Apple today updated OX Mavericks, plugging the embarrassing SSL security hole that the company left wide open in the operating system's implementation of basic Internet encryption.
Mac users running Mavericks should update as soon as possible, as exploit code has already begun circulating on the Internet. Apple had the same flaw in iOS, which it patched over the weekend.
[ It's time to rethink security. Two former CIOs show you how to rethink your security strategy for today's world. Bonus: Available in PDF and e-book versions. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
OS X 10.9.2, which weighed in at between 460MB and 860MB for the download, patches the vulnerability, according to tests conducted by Computerworld using the gotofail.com website, which indicated that the Safari browser was again secure.
The update, the first since mid-December, patched 32 other vulnerabilities in various versions of OS X, including six in QuickTime, Apple's media player, and more disturbing, four bugs that could be used by attackers to bypass the application sandbox, an isolation technology designed to minimize damage when malware does make it onto a Mac.
But CVE-2014-1266, the identifier for the bug in Mavericks' handling of SSL (Secure Socket Layer) and TLS (Transport Layer Security), was the one that stood out. Those protocols create an encrypted connection between a personal computer and a server -- such as one at Amazon.com -- so that snoopers cannot read the traffic and extract information like credit card numbers or login credentials.
The flaw had been dubbed the "gotofail" bug because Apple left an extraneous "goto" command in the code that validated SSL certificates, a monumental oversight that many security experts blasted Apple for not catching during development and testing, or in the 16 months since the release of iOS 6, where it first appeared.
Apple took heat for the delay in patching Mavericks; it issued updates for iOS 6 and iOS 7 on Feb. 21 that plugged the gotofail hole.
"How difficult is it to release for OS X?" asked Andrew Storms, director of DevOps at security firm CloudPassage, in an interview yesterday. "Shouldn't it have been out an hour later?"
Storms defended his criticism, and that of other security professionals. "We all know what happens. Whenever patches don't appear simultaneously, attackers mine it in one version for others. It's the gateway for finding the bug," Storms said.
In a separate security-only update, Apple patched four vulnerabilities in 2012's Safari 6, pushing the version number to 6.1.2. Safari 6 is the most current edition of Apple's browser for OS X 10.7 Lion and OS X 10.8 Mountain Lion. Those flaws were also fixed in Safari 7, taking it up to 7.0.2, for Mavericks, which was included with the 10.9.2 update.
Along with the vulnerability patches in OS X 10.9.2, Apple also provided several nonsecurity fixes to deal with reliability, stability, and performance issues, as well as a few that beefed up some integrated features and tools.
Mac users can now make and take audio-only calls using FaceTime, OS X's built-in video conferencing software, and block incoming iMessages from individual users. iMessage is OS X's and iOS's integrated chat and texting client that lets users bypass carriers' SMS fees when sending and receiving messages to and from iOS and OS X devices.