Apple closes major SSL gap in OS X

Apple has patched a serious security issue in OS X Mavericks. The issue made it possible to find out the content of https traffic. IOS was also vulnerable, but was already patched last Saturday.

The update that fixes the problem is now available for download, although Apple does not indicate in the update screen that the patch is included. However, a more extensive overview of the security vulnerabilities patched in the update shows that the problem has been solved. The fact that Apple is closing the problem relatively quietly is remarkable, because it is a relatively serious security problem.

The bug allowed malicious parties with administrator rights on the network to carry out a so-called man in the middle attack, in which network traffic can be intercepted. This is already possible with HTTP traffic, because the traffic is not encrypted, but https is intended to communicate confidentially over channels that are not necessarily trusted.

The security issue was caused by the text ‘goto fail’ being placed twice where it should have been only once. As a result, a server where the code should have raised the alarm was still trusted. According to some, the bug was deliberately placed in the code, and it concerns a backdoor; Apple has not yet responded to that allegation.

The bug occurred not only in OS X, but also in iOS; that operating system was already patched last weekend. Other versions of OS X are not vulnerable.

Image: Ashkan Soltanic