Apple Finally Released a Fix for That Terrifying Vulnerability in OS X

The Citizen's Guide to the Future
Feb. 26 2014 11:56 AM

Apple Finally Released a Fix for That Terrifying Vulnerability in OS X

Apple has a lot of promotional material about OS X's security features, but the SSL vulnerability dealt a blow to consumer trust.

Photo by Apple.

Apple finally patched the security flaw in OS X. If you haven't already, you should download the update right now over a secure connection. No, seriously do it right now. We'll still be here when you get back.

OK, cool. Basically Apple released update 10.9.2 Tuesday afternoon, almost four days after it released a fix for iOS. And the update information tries to be casual. The condensed version of the notes consists of 11 bullet points that sound ordinary. But hidden at the bottom (where usually no one will see it, except we're all going to see it because this is one of those rare times when people are actually looking for something specific in the update notes) is the line "Provides a fix for SSL connection verification."


A longer but still condensed list doesn't even mention SSL at all. Instead it notes some hilariously mundane features of the update like "Includes improvements to Gmail labels," and "Resolves an issue which prevented printing to printers shared by Windows XP." Gotta handle the tough issues first. It's only when you go to the detailed description of the update, and scroll for awhile (the topics are listed alphabetically), that you can read about the vulnerability fix. The document says:

Data Security
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS
Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.

Similar in concept to how Apple patched the iOS vulnerability, OS X needed code that directed it to go through all the verification steps of SSL encryption and not assume a connection was safe based on one positive verification. The update patches the flaw in OS X Mavericks and OS X Mountain Lion, but it's unclear whether older operating systems will get a fix as well. If you're reading this on an Apple product and still haven't updated, you're either feeling contrary or you're just bad at following direction. Let's try it one more time. Please update now.

Future Tense is a partnership of SlateNew America, and Arizona State University.

Lily Hay Newman is lead blogger for Future Tense.


Medical Examiner

Here’s Where We Stand With Ebola

Even experienced international disaster responders are shocked at how bad it’s gotten.

The U.S. Airstrikes on ISIS in Syria Will Probably Benefit America’s Other Enemies

Divestment Is Fine but Mostly Symbolic. There’s a Better Way for Universities to Fight Climate Change.

It’s Not Easy for Me, but I Stand With Emma Watson on Women’s Rights

It Is Very Stupid to Compare Hope Solo to Ray Rice

Building a Better Workplace

In Defense of HR

Startups and small businesses shouldn’t skip over a human resources department.

Why Are Lighter-Skinned Latinos and Asians More Likely to Vote Republican?

How Ted Cruz and Scott Brown Misunderstand What It Means to Be an American Citizen

  News & Politics
The World
Sept. 23 2014 10:55 AM This Isn’t the Syria Intervention Anyone Wanted
Business Insider
Sept. 23 2014 10:03 AM Watch Steve Jobs Tell Michael Dell, "We're Coming After You"
Sept. 23 2014 11:32 AM Key & Peele Explain What Straights Should Expect at a Gay Wedding
  Double X
The XX Factor
Sept. 23 2014 11:13 AM Why Is This Mother in Prison for Helping Her Daughter Get an Abortion?
  Slate Plus
Slate Plus
Sept. 22 2014 1:52 PM Tell Us What You Think About Slate Plus Help us improve our new membership program.
Sept. 23 2014 11:30 AM A Rope Mistress, the Rubber Master, Sadomasochist Sisters: Portraits in Kink
Future Tense
Sept. 23 2014 10:51 AM Is Apple Picking a Fight With the U.S. Government? Not exactly.
  Health & Science
Bad Astronomy
Sept. 23 2014 11:00 AM Google CEO: Climate Change Deniers Are “Just Literally Lying”
Sports Nut
Sept. 18 2014 11:42 AM Grandmaster Clash One of the most amazing feats in chess history just happened, and no one noticed.