Most people live on their Macs and iOS devices, paying bills, checking email, and logging in to various sites that help run our lives. Last week it was discovered that all this private communication could be viewed by a malicious party using a Man In The Middle (MITM) attack thanks to a string of faulty code in both OS X as well as iOS.
The issue has been present in iOS since 2012, but only became a part of OS X with 10.9 Mavericks. Basically anyone using a public Wi-Fi became susceptible to having his or her information intercepted. While a MITM attack is far from simple to accomplish, the ability to do so caused quite a stir in the Apple security world.
A few days ago Apple released iOS 7.0.6 to fix the flaw, but OS X was left surprisingly unfixed until yesterday afternoon when Apple released OS X 10.9.2 that included not only the SSL vulnerability fix, but an assortment of other fixes. Before getting to everything in 10.9.2, it’s worthwhile to give a little more information on what this vulnerability entailed.
What is goto fail;?
The SSL vulnerability that left Macs and iOS devices open to attack is all thanks to a single line of code that was copied between systems. The code, as seen below, basically allows the majority of Mac and iOS applications to skip a verification that happens when certain secure connections are made.
(Image courtesy of arsTechnica)
In other words, when a computer tries to connect via a secure connection to your Mac and there’s no match wtih the digital certificate and the source of the certificate, your Mac should say no, but the extra goto fail; in this code skips that.
Some are calling this a conspiracy and others are calling it a simple programming mistake that should have been caught in Q/A, but whatever it is, it’s a very good thing that Apple fixed it.
The Mac Update
Like we said above, Apple released OS X 10.9.2 yesterday to combat the security flaw as well as some other planned fixes.
10.9.2 has been in beta testing for some time and was updated with the errant code fix before release. The OS X 10.9.2 update includes the following:
- Adds the ability to make and receive FaceTime audio calls
- Adds call waiting support for FaceTime audio and video calls
- Adds the ability to block incoming iMessages from individual senders
- Improves the accuracy of unread counts in Mail
- Resolves an issue that prevented Mail from receiving new messages from certain providers
- Improves AutoFill compatibility in Safari
- Fixes an issue that may cause audio distortion on certain Macs
- Improves reliability when connecting to a file server using SMB2
- Fixes an issue that may cause VPN connections to disconnect
- Improves VoiceOver navigation in Mail and Finder
The full details of this update can be found here. As you can see, the most likely reason that Apple put off this fix for a few days is because the 10.9.2 update was a fairly large maintenance release as it was, and at nearly 860MB, it’s definitely a large one.
You can run this update by clicking on the Apple icon in your OS X menu bar and choosing Software Update, by opening the Mac App Store and clicking on Updates, or by following one of the links below.
Making Sure You’re Safe
Once you’re updated, which takes around 30-45 minutes to complete, you can test your browsers to make sure you’re safe. A tool has been built that can test your browser for the vulnerability. Head over to gotofail.com and you’ll get a near-instant result on the security of your browser. For me, I got “Probably safe” using the latest release of Chrome, and “Safe” using the latest release of Safari.
With OS X as well as iOS updated, this latest security flaw has been fixed without any known exploits, which is exactly how things should work. It’s worth noting however that if you’re running a beta of iOS 7.1 your device is still at risk. It’s recommended that you either revert back to 7.0.6 or stop using public Wi-Fi until the flaw is updated in 7.1 beta.