Tuesday, February 25, 2014

"Goto fail": Mac OS X 10.9.2 eliminated SSL vulnerability - Heise Newsticker

The newly released OS X update to remove the serious SSL problem which makes encrypted connections vulnerable. Version 10.9.2 also brings minor improvements.

Apple Mac OS X 10.9.2 released – the fix can be purchased through the Mac App Store. It eliminates a fatal error while establishing SSL connections – the lack of validation steps were restored, writes the Mac maker


More about SSL Vulnerability in Apple systems:

  • SSL bug in Mac OS X
  • Security Update for iOS 6 and 7
  • The problem has existed since 10.9 allow an attacker on the same network itself encrypted connections, for example for online banking spy. A bug in Apple’s SSL implementation leads to OS X 10.9.1 to the fact that the Mac in the safe connection setup, the certificate of the other side is not verified, as the security researcher Stefan Esser said in an interview with Mac & i – a seated between client and server attacker can use this to spy on the connection and change it. In older Mac OS X versions apparently the error is not.

    Apple had the problem that also affects iPhone, iPad, iPod touch and Apple TV, this past Friday with the updates to iOS 7.0.6 iOS 6.1.6 respectively (touch only for iPhone 3GS and iPod fourth generation) as well as the Apple TV software 6.0.2 fixed – users should install the appropriate updates necessarily. For developers who are already using the beta of iOS 7.1, still there is no update available.

    Further details on the origin and discovery of serious vulnerability that apparently existed in iOS for over a year, Apple did not mention so far.

    In the release notes for OS X 10.9.2 SSL vulnerability remains unmentioned
    OS X 10.9.2 can be purchased through the Mac App Store  Click to enlarge
    Mac OS X 10.9.2 provides in addition to the SSL Fix also some new features and bug fixes. So the update FaceTime audio calls and the user can allow unwanted FaceTime and iMessage caller block -. Both functions that have already been introduced with iOS 7 last fall

    addition, Safari should not have any more problems in the automatic form filling. An audio bug that could lead to distortions in the sound output has been fixed and VPN and SMB2 connections are more reliable. In addition, VoiceOver with the built-in OS X screen reader better in the Finder and navigate in Apple Mail.

    [Update 02.25.2014 20:00 clock] In addition to the SSL-gap OS X 10.9.2 eliminates a number of other vulnerabilities. For users of Mac OS X 10.8.5 and 10.7.5 Lion Mountain Lion a stand-alone security update 2014-001 is available for download. The updates stuff, among other vulnerabilities of Apache and PHP, and various ways to circumvent the app sandbox.

    Apple also has the root certificates updated and fixes multiple vulnerabilities in Core Animation, Core Text, Quick Look, QuickTime, and File Bookmark dispelled, may allow the execution of malicious code. Through a Secure Transport flaw, an attacker on OS X 10.8.5 Lion Mountain is sometimes able to decrypt SSL-encrypted data, writes Apple – the update should fix this

    version 10.9. .2 also includes Safari in new version 7.0.2 – the new version of the browser includes several vulnerabilities in WebKit, which may allow the injection of malicious code when calling a web page. Users of OS X 10.8.5 and 10.7.5 should Safari 6.0.2 upload, there is this gap, according to Apple also fixed.

    No comments:

    Post a Comment