Apple Finally Released a Fix for That Terrifying Vulnerability in OS X

The Citizen's Guide to the Future
Feb. 26 2014 11:56 AM

Apple Finally Released a Fix for That Terrifying Vulnerability in OS X

apple
Apple has a lot of promotional material about OS X's security features, but the SSL vulnerability dealt a blow to consumer trust.

Photo by Apple.

Apple finally patched the security flaw in OS X. If you haven't already, you should download the update right now over a secure connection. No, seriously do it right now. We'll still be here when you get back.

OK, cool. Basically Apple released update 10.9.2 Tuesday afternoon, almost four days after it released a fix for iOS. And the update information tries to be casual. The condensed version of the notes consists of 11 bullet points that sound ordinary. But hidden at the bottom (where usually no one will see it, except we're all going to see it because this is one of those rare times when people are actually looking for something specific in the update notes) is the line "Provides a fix for SSL connection verification."

Advertisement

A longer but still condensed list doesn't even mention SSL at all. Instead it notes some hilariously mundane features of the update like "Includes improvements to Gmail labels," and "Resolves an issue which prevented printing to printers shared by Windows XP." Gotta handle the tough issues first. It's only when you go to the detailed description of the update, and scroll for awhile (the topics are listed alphabetically), that you can read about the vulnerability fix. The document says:

Data Security
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS
Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.

Similar in concept to how Apple patched the iOS vulnerability, OS X needed code that directed it to go through all the verification steps of SSL encryption and not assume a connection was safe based on one positive verification. The update patches the flaw in OS X Mavericks and OS X Mountain Lion, but it's unclear whether older operating systems will get a fix as well. If you're reading this on an Apple product and still haven't updated, you're either feeling contrary or you're just bad at following direction. Let's try it one more time. Please update now.

Future Tense is a partnership of SlateNew America, and Arizona State University.

Lily Hay Newman is lead blogger for Future Tense.

TODAY IN SLATE

Medical Examiner

Here’s Where We Stand With Ebola

Even experienced international disaster responders are shocked at how bad it’s gotten.

U.S. Begins Airstrikes Against ISIS in Syria

The U.S. Is So, So Far Behind Europe on Clean Energy

It Is Very, Very Stupid to Compare Hope Solo to Ray Rice

Friends Was the Last Purely Pleasurable Sitcom

The Eye

This Whimsical Driverless Car Imagines Transportation in 2059

Politics

Meet the New Bosses

How the Republicans would run the Senate.

A Woman Who Escaped the Extreme Babymaking Christian Fundamentalism of Quiverfull

How in the World Did Turkey Just Get 46 Hostages Back From ISIS?

  News & Politics
Politics
Sept. 22 2014 6:30 PM What Does It Mean to Be an American? Ted Cruz and Scott Brown think it’s about ideology. It’s really about culture.
  Business
Moneybox
Sept. 22 2014 5:38 PM Apple Won't Shut Down Beats Music After All (But Will Probably Rename It)
  Life
Outward
Sept. 22 2014 4:45 PM Why Can’t the Census Count Gay Couples Accurately?
  Double X
The XX Factor
Sept. 22 2014 7:43 PM Emma Watson Threatened With Nude Photo Leak for Speaking Out About Women's Equality
  Slate Plus
Slate Plus
Sept. 22 2014 1:52 PM Tell Us What You Think About Slate Plus Help us improve our new membership program.
  Arts
Brow Beat
Sept. 22 2014 9:17 PM Trent Reznor’s Gone Girl Soundtrack Sounds Like an Eerie, Innovative Success
  Technology
Future Tense
Sept. 22 2014 6:27 PM Should We All Be Learning How to Type in Virtual Reality?
  Health & Science
Medical Examiner
Sept. 22 2014 4:34 PM Here’s Where We Stand With Ebola Even experienced international disaster responders are shocked at how bad it’s gotten.
  Sports
Sports Nut
Sept. 18 2014 11:42 AM Grandmaster Clash One of the most amazing feats in chess history just happened, and no one noticed.