Incremental update includes the highly anticipated SSL/TSL fix

Feb 25, 2014 20:07 GMT  ·  By

Apple today outed OS X 10.9.2, a highly anticipated software update that was initially tasked with adding a number of new features and small tweaks, but ended up as an urgent release because of a security flaw.

OS X Mavericks v10.9.2 is highly recommended for all OS X Mavericks users, as “it improves the stability, compatibility, and security of your Mac,” the company headquartered at 1 Infinite Loop, Cupertino, California, says.

According to Apple’s official release notes, this update adds these key features and fixes.

• the ability to make and receive FaceTime audio calls • call waiting support for FaceTime audio and video calls • the ability to block incoming iMessages from individual senders • improves the accuracy of unread counts in Mail • resolves an issue that prevented Mail from receiving new messages from certain providers • improves AutoFill compatibility in Safari • fixes an issue that may cause audio distortion on certain Macs • improves reliability when connecting to a file server using SMB2 fixes an issue that may cause VPN connections to disconnect • improves VoiceOver navigation in Mail and Finder

As usual, Apple throws in a link to the security advisory tied to this update. Unsurprisingly, among the numerous patches included in this release, the company mentions the widely reported SSL/TLS flaw that needed an urgent fix.

Available for OS X Mavericks 10.9 and 10.9.1, the issue in question would allow an attacker with a privileged network position to “capture or modify data in sessions protected by SSL/TLS.”

“Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps,” Apple explains.

OS X Mavericks 10.9.2 is also available as a Combo update, and for customers who are still on OS X Lion and OS X Mountain Lion, Apple offers Security Update 2014-001.

“Security Update 2014-001 is recommended for all users and improves the security of OS X,” says the Cupertino company.

An SSL-related flaw is also patched in OS X 10.8.5 (Mountain Lion). The bug, allowing an attacker to decrypt data protected by SSL, is addressed through one of the aforementioned security updates.

“There were known attacks on the confidentiality of SSL 3.0 and TLS 1.0 when a cipher suite used a block cipher in CBC mode,” Apple’s description reads.

“To address these issues for applications using Secure Transport, the 1-byte fragment mitigation was enabled by default for this configuration,” the company states.

Download OS X Mavericks 10.9.2 Update

Download Security Update 2014-001