Jump to content

Current OS X builds security issues


Darvinko

Recommended Posts

Apple's OS X builds (up through the latest developer builds of 10.9.2) have a SSL flaw which keeps the certificates from being validated. Translation: use caution as this leaves you vulnerable. It is suggested that you avoid using your devices on unprotected networks with questionable security (no encryption). The flaw allows someone to intercept and view or modify traffic over non-protected or poorly protected networks (read WEP encryption). Patches are expected shortly (and have already been released for the same flaw in iOS devices (iphone, iPad, ipod & Apple TV)). Until Apple resolves this SSL validation issue, you should avoid questionable and public networks and update as necessary only by trusted networks. Additionally, you might want to change the setting on your "Ask to Join Other Networks" to "OFF"

Here is a link to the patch (iOS 7.0.6) for the appropriate devices. Apple has not yet released a patch for OS X devices. - http://support.apple.com/kb/HT6147  For older devices and Apple TV patches, see here: http://support.apple.com/kb/HT1222

UPDATE: Apple has acknowledged the issue and has promised that a patch will be available "very soon". I will add a link to the patch if necessary, although I believe it will come through normal update procedures, possible even a "forced" update (one that downloads in the background and installs upon a subsequent reboot).

UPDATE 2: It appears that the flaw MAY be limited to Mavericks builds 10.9.0 to the current developer 10.9.2 beta 7 build (I'm not certain about earlier pre-GM & GM developer builds as I no longer have them) and is due to a duplicated line of code. Hopefully it will only require removing that line, recompiling and testing.

UPDATE 3: Apple has pre-released 10.9.2 to some employees, with FaceTime audio, Call Waiting for FaceTime Audio & Video calls, the ability to block incoming iMessages from individual senders and a patch for the above mentioned SSL issue. Past practice indicates this is done just prior to a public release, so it is unknown whether a stand alone patch (such as was issued for iOS) will be issued, or if the patch will be incorporated into this build. 

As you may know, Apple has released 10.9.2, which, along with the SSL patch, has provided updates/upgrades to other features, including those listed above. There is currently no stand alone patch for the "gotofail" issue. Additional security updates have also been issued for Lion and Mountain Lion.

  • Like 1
Link to comment
Share on other sites

×
×
  • Create New...