SSL flaw to be patched in upcoming software release for OS X users
Following the discovery of a bug which leaves Apple's SSL/TLS library vulnerable to outside attacks, the Cupertino company has issued a statement confirming that a software fix is on the way.Discovered in iOS for iPhone, iPod touch, iPad, and Apple TV, and subsequently found in OS X as well, the flaw would allow an attacker with a privileged network position to “capture or modify data in sessions protected by SSL/TLS.”
Confirming that the vulnerability affects both of Apple’s OSes, spokeswoman Trudy Muller now tells Reuters, “We are aware of this issue and already have a software fix that will be released very soon.”
Dmitri Alperovitch, chief technology officer at security firm CrowdStrike Inc., describes the flaw as “fundamental bug in Apple's SSL implementation.” In other words, expect a patch to be released next week.
The severity of the flaw became immediately visible when Apple released not only an unexpected iOS 7.0.6 update, but also iOS 6.1.6 for older-generation devices that don’t normally receive updates anymore.
Even the Apple TV software got a similar patch, in what became apparent that Apple’s entire software ecosystem was affected by the flaw. Software researchers then quickly confirmed their hunches, namely that OS X was vulnerable too.
Apple could either cook up a standalone fix or include the patch in the upcoming OS X 10.9.2 update for Mavericks users and additional security updates for older OS X versions.
The company is just about done developing this imminent Mavericks update, so there’s no reason not to believe that Apple is launching it next week, especially given the urgency of the matter.
OS X 10.9.2 will be a free update for all Mavericks users, and any standalone updates designed to deal with this security flaw will be deployed in tandem.