Apple finally patched the security flaw in OS X. If you haven’t already, you should download the update right now over a secure connection. No, seriously do it right now. We’ll still be here when you get back.
OK, cool. Basically Apple released update 10.9.2 Tuesday afternoon, almost four days after it released a fix for iOS. And the update information tries to be casual. The condensed version of the notes consists of 11 bullet points that sound ordinary. But hidden at the bottom (where usually no one will see it, except we’re all going to see it because this is one of those rare times when people are actually looking for something specific in the update notes) is the line “Provides a fix for SSL connection verification.”
A longer but still condensed list doesn’t even mention SSL at all. Instead it notes some hilariously mundane features of the update like “Includes improvements to Gmail labels,” and “Resolves an issue which prevented printing to printers shared by Windows XP.” Gotta handle the tough issues first. It’s only when you go to the detailed description of the update, and scroll for awhile (the topics are listed alphabetically), that you can read about the vulnerability fix. The document says:
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS
Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.
Similar in concept to how Apple patched the iOS vulnerability, OS X needed code that directed it to go through all the verification steps of SSL encryption and not assume a connection was safe based on one positive verification. The update patches the flaw in OS X Mavericks and OS X Mountain Lion, but it’s unclear whether older operating systems will get a fix as well. If you’re reading this on an Apple product and still haven’t updated, you’re either feeling contrary or you’re just bad at following direction. Let’s try it one more time. Please update now.