IF you use Mac OS X 10.9, there's a SSL security bug that you definitely need to know about. Here's what we know so far about this developing story.
UPDATE: Apple has released OS X Mavericks 10.9.2. 9to5Mac notes:
"The release notes do not make mention of the SSL security bug that was squashed on iOS late last week, but a fix is present in this new OS X update. The update is available on the Mac App Store in the Software Update tab."
1. The SSL Vulnerability Is in Mac OS X 10.9.1
Apple's 'Gotofail' Security Mess Extends To Mail, Twitter, iMessage, Facetime And More http://t.co/Toxd7W7zU8
— Andy Greenberg (@a_greenberg) February 23, 2014
Mac OS X 10.9.1 has an SSL security vulnerability that could be problematic for some users.
The Register sums up the situation pretty neatly:
"Apple has admitted a bug in Mac OS X 10.9.1 allows hackers to intercept and decrypt SSL-encrypted connections – and has vowed to release a fix 'very soon.'
Sensitive information, such as bank card numbers and account passwords, sent over HTTPS, IMAPS and other SSL-protected channels from vulnerable Mac computers could easily end up in the hands of snoopers as a result of this security hole…
Apple's Safari web browser and Mail client running on OS X 10.9.1 are vulnerable to SSL snoopers because they rely on the broken crypto-library; other Cupertino apps such as Facetime and iMessage, and third-party programs using Apple's crocked code, are all faulty as well. Google Chrome and Mozilla Firefox are not vulnerable because they don't use the busted SSL library."
2. The OS X Bug Is Related to the Recent iOS Security Update
— Runa A. Sandvik (@runasand) February 23, 2014
Apple released a minor update to iOS 7 last Friday, the 21st of February.
It is now being reported that the iOS security update is related to the issue in OS X 10.9.1. While the iOS patch has fixed the problem on mobile, not everyone has gotten the OS X patch yet.
Threatpost writes that:
"The certificate-validation vulnerability that Apple patched in iOS yesterday also affected Mac OS X up to 10.9.1, the current version...Some users are reporting that Apple is rolling out a patch for his vulnerability in OS X, but it has not shown up for all users as yet."
3. The Bug's Cause Was Simple to Pinpoint
4 days after Apple released a patch for iOS, theres still none for OS X. So they really think OS X only exists to develop iOS apps #gotofail
— Jonathan S. (@Midar3) February 24, 2014
Wired writes that this security issue was caused by "a single bad Goto" command.
"Some software bugs are infinitely subtle and complicated. Others are comprehensible almost at a glance to anyone who dabbled in BASIC as a kid. The iOS 7 bug is in the latter group."
People are using the hashtag #gotofail on Twitter to talk about this bug.
4. Business Pros Should Exercise Caution
Mac OS X 10.9 users should not use Safari until there’s patch fixing the SSL bug. Use Firefox 26.0 or newer for now. https://t.co/dYCawQXjuB
— Marcel Winandy (@mwinandy) February 24, 2014
Search Security has advised readers in the business community to use caution going forward. They quote an expert who advises, "This bug makes SSL worthless if an attacker is on the same network as you."
"Until an OS X patch becomes available, experts say enterprises should encourage users to avoid using OS X devices on public networks or other networks where communications are likely to be intercepted."
5. Fixes Are Coming
— Okona (@Okona) February 24, 2014
There is a second test site as well, which can be accessed here. This link was working just fine at press time.
Alternatively, you can check your Mac to see if there is an OS X update ready for you now. As mentioned above, Apple is working on a fix that will be released soon. When that OS X update comes through, PC Mag has some tips on installing it:
"The updates should be applied while on a trusted network, and users should really avoid accessing secure sites while on untrusted networks (especially Wi-Fi) while traveling…"