Apple releases OS X Mavericks 10.9.3, repeats last month’s security updates

In the very latest Chet Chat podcast, we wondered aloud if Apple was heading into what you might call the “patching mainstream.”

That’s where you have some sort of schedule for security updates, and some sort of willingness to engage with your customers as soon as security problems arise, rather than only after they have been completely solved.

Apple has always taken a contrary stance, with its official verbiage making the company’s Security Cone of Silence policy quite clear:

For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.

(Quite how it protects your customers to keep them in the pitch dark until each issue is completely solved has never been clear to us here on Naked Security.)

Anyway, in the podcast, we put it this way, saying, “It would just be nice if [Apple] took that old policy about not saying a word until it’s too late, tore it into little bits, and started doing what the rest of the world was doing.”

Apple certainly seems to be leaning in that direction, given that it recently violated its own policy twice.

The company commented publicly, before it had patches ready, after a security flaw was reported in iOS email encryption, and when a risky SSL bug was found in OS X.

The company acknowledged these security holes, and admitted right away it was working to fix them.

Huzzah for that!

And, wouldn’t you know it, within 12 hours of publishing the afore­mentioned podcast, an Apple Security Advisory dropped into our inboxes.

But it wasn’t the promised iOS lock screen patch, delivered in double-quick time.

Instead, it was a full-blooded point release that has been bubbling along in Beta for a while: OS X Mavericks 10.9.3.

Often, OS X point releases contain a raft of new features and a slew of security fixes, but this one seems to be different.

OS X 10.9.3

As far as we can tell, and as far as Apple seems to be saying, 10.9.3 seems to be last month’s security update, 2014-002, delivered along with a modest list of bug fixes, oops, new features and improvements.

The list is brief:

  1. Improves 4K display support on Mac Pro (Late 2013) and MacBook Pro with 15-inch Retina Display (Late 2013)
  2. Adds the ability to sync contacts and calendars between a Mac and iOS device using a USB connection
  3. Improves the reliability of VPN connections using IPsec
  4. Includes Safari 7.0.3

As it happens, Safari 7.0.3 was itself rolled into Security Update 2014-002, at least on Mavericks, so that too is an security fix that you really ought to have had for some time if you are an OS X user.

Should you update?

So, should you apply the 10.9.3 update?

If you skipped Security Update 2014-002, then the answer is an unqualified, “Yes.”

If you applied 2014-002, then it doesn’t sound as though this is a must-have from a security point of view.

→ The OS X 10.9.3 update is just under 0.5GB if you are already on 10.9.2, or just under 1GB if you want the “Combo” update that can jump you forward from any earlier version of OS X 10.9, including from a fresh installation.

But there is one new feature that ought to make a great many Naked Security readers happy, namely item (2) above.

Some Naked Security readers have told us that they’re sticking with older versions of OS X, and avoiding Mavericks altogether, because Mavericks forces you to sync iOS devices via Apple’s cloud service, rather than over a regular USB cable.

What with the ongoing revelations about the extent to which online traffic is snooped on and slurped up by the world’s intelligence services, this understandably upset a lot of people.

Apparently, Apple listened.

You can once again sync from your Mac to your iDevice over 15cm of USB cable, rather than sending your personal information on a ecologically unsound 40,000km round-the-world data trip via one of Apple’s server farms.

Huzzah for that!

iTunes 11.2

By the way, Apple is pushing out an update to iTunes at the same time, taking it to 11.2.

As usual, Apple sends you to its HT1222 landing page for security information about the new iTunes version, but HT1222 hasn’t been updated yet. [2014-05-15T22:05Z]

So we can’t tell you whether you need to grab the new iTunes (which is also updated on Windows, in 32-bit and 64-bit flavours) for security reasons, or whether you might merely wish to do so, based on its new feature list.

I guess that answers our question from the top of the article, “Is Apple heading into the patching mainstream?”

Nearly. But not quite.

Update. Shortly after this article went live, an email arrived from Apple Product Security stating that the Windows version of iTunes 11.2 fixes a bug in HTTP cookie handling that could allow authentication credentials to be hijacked. That makes the iTunes update into a need, not just a want. [2014-05-15T22:50Z]