Apple ships OS X 10.9.2 - delivers on promise to patch SSL/TLS hole "very soon"

Filed Under: Apple, Featured, Security threats, Vulnerability

Forget my unofficial patch for OS X!

Apple has done what it said, and delivered the latest update to Mavericks, numbered OS X 10.9.2, "very soon."

As usual, Apple's dedicated Security Updates page (HT1222) doesn't yet mention what's in 10.9.2. [As at 2014-02-26T00:44Z.]

→ For the Nth time, I implore Apple - and you should email Cupertino about it to add your voice, too - not to follow an update process that explicitly refers you to HT1222 for security information but doesn't update that page until much later.

But the Combo Update download page does mention what we all want to hear:

This update ... provides a fix for SSL connection verification.

The notes don't actually say CVE-2014-1266, but that's what it's all about.

In case you missed the brouhaha, CVE-2014-1266 was patched in iOS 7.0.6 late last week, with little more to go on than that it fixed a problem with "SSL connection verification."

Apple generally remains pretty tight-lipped about the specifics of what it just patched, which was a bit of a pity in this case.

The brevity of the iOS notification merely egged on security researchers to answer for themselves the question, "Is it, or isn't it, an exploitable Man-in-the-Middle hole?"

Was the bug of a fail-safe sort that might sometimes cause legitimate sites to produce errors?

Or was is a fail-soft fault that might allow imposter "secure" sites to pass muster as the real thing?

Of course, as we discussed in detail elsewhere, answering those questions also delivered the answer to, "Is the same bug in OS X?"

Yes, it is.

The bug was caused by a line of C code that says goto fail, which was a self-descriptive irony too amusing to ignore.

So the bug quickly became known as the "goto fail", or even the "double-goto-fail." (The error was that the line appeared twice instead of once.)

With the right preparation, an attacker who misdirected your attempts to visit, say, https://secure.example/ could have exploited the goto fail to trick you into visiting an impostor site without any tell-tale HTTPS certificate warnings popping up.

The 10.9.2 update, then, is one you ought to apply right away.

You're probably wondering why Apple didn't simply push out the iOS and OS X updates at the same time.

We shall probably never know for sure, but a likely reason is that the iOS update was a comparatively modest security fix, chiming in at a few tens of megabytes, while the OS X update is about 800MB, and offers a range of other changes and enhancements beyond the SSL fix.

Perhaps Apple felt it could do with a few more days of testing OS X 10.9.2?

That's all moot now, as is my unofficial patch published on Monday, which closed off the hole with a minimalistic change of just 5 bytes to the bug-affected system file.

→ I've installed the official update, and I can confirm that disassembling the updated SecureTransport library in 10.9.2 shows that the certificate verification code has been repaired - including the previously missing call to the all-important sslRsaVerify() function. The new library file has version number 55471.14.0, up from 55471.0.0 in the buggy version.

By the way, while you're waiting for the OS X 10.9.2 update to download, take heed of this lesson it teaches you.

A patch for iOS turned into sort of "attack becaon" that quickly led researchers to an identical but unpatched bug in OS X.

The two products share lots of source code, so an injury to one is frequently an injury to all.

This is the same sort of problem that will plague Windows XP when XP's final security patch is shippped in April 2014.

Patches for Windows 7 and Windows 8 might lead researchers to an identical but unpatched bug in Windows XP.

Unlike in this case, where OS X "caught up" within a few days, Windows XP will never catch up - in fact, it will be behind for ever.

So, remember (if you will forgive Windows sticking its nose into an article about OS X) that friends don't let friends use XP.

, , , , , ,

You might like

10 Responses to Apple ships OS X 10.9.2 - delivers on promise to patch SSL/TLS hole "very soon"

  1. Craig H · 50 days ago

    umm nope.. just now, all references to the SSL issue are no longer on apple sites or updates that I can see

  2. Go to the apple-Menu on your desktop and change to software-Update.
    That´s all...

    • Paul Ducklin · 50 days ago

      Or grab the Combo Update, save it to a removable drive, and then update from the DMG. Great if you need to reinstall. (Or live in a house of Mac users with a capped 3G internet service, or whatnot.)

  3. Vito · 50 days ago

    This page...

    http://support.apple.com/kb/HT6150

    ...now provides details about what's in Security Update 2014-001, and explicitly mentions CVE-2014-1266 under the "Data Security" section.

    None of that information was available when I looked for it on 2014-02-25, the date the patches were released.

  4. Richard P · 48 days ago

    I'm running OS X 10.6.8 and have seen no update. Is this issue restricted to OS X 10.7+, or has OS 10.6 gone all XP on us?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog