OS X Mavericks Has Identical SSL Flaw as iOS 7 and iOS 6, Patch Needed
Security researchers confirm that Apple needs to roll out OS X patch soon
If anyone’s asking if Apple’s recent SSL issue affects OS X as well, the answer is “YES, the vulnerability affects both the iOS and OS X operating systems,” according to Crowdstrike.With the release of iOS 7.0.6, iOS 6.1.6 and Apple TV firmware 6.0.2, Apple this week patched a flaw where “An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS,” according to the company’s documentation.
Apparently the vulnerability is not only present in iOS, but OS X as well. Security researchers at the aforementioned firm reveal that “Due to a flaw in authentication logic on iOS and OS X platforms, an attacker can bypass SSL/TLS verification routines upon the initial connection handshake.”
“This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of your system),” explains Alex Radocea over at crowdstrike.com.
Independent researcher and consultant Ashkan Soltani also confirms the flaw exists in Mavericks. He writes on Twitter, “Confirmed OSX SSL weirdness: 10.9.1 doesn't validate certs properly whereas Linux does.”
Apple is currently testing OS X 10.9.2 for an imminent release sometime in the next few days, or weeks. The discovery of such a serious vulnerability could speed up the rollout.
The company has already spent a great deal of time testing this maintenance update, having seeded a total of seven betas to its sea of developers.
A GM (Golden Master) build of OS X 10.9.2 could be released in the next few days but, given the urgency of the situation, Apple could just as well publish the update without ever seeding a GM to testers.