Apple has just issued OS X Mavericks version 10.9.2, fixing the same serious SSL security hole that they fixed for iPhone and iPad users at the end of last week.
Here is what you should see if you go into the Mac OS X App Store, and look for updates:
Mac OS X 10.9.2 has been pushed out of the door primarily to fix the embarrassing so-called “gotofail” flaw that could have made it possible for hackers to intercept communications between computers running Mavericks and secure websites.
As I explained at the time, the privacy hole was created because of a flaw in Apple’s source code:
SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams,
uint8_t *signature, UInt16 signatureLen)
if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
A fumbling programmer accidentally introduced the security hole by including two “goto fail” lines in the code, one immediately after the other.
The first one is in the right place, but the second shouldn’t be there. That duplicate line wrecks the code’s intended execution path, meaning that a critical authentication check doesn’t occur.
It is now obviously important that iMac and MacBook users update their copy of Mavericks at the earliest opportunity (users of earlier versions of Mac OS X are not thought to be affected), before online criminals manage to take advantage of the flaw.
Companies and organisations typically like to take their time rolling out operating system updates, in case there are incompatibilities or unintended consequences of pushing out a new update to the computers on their network.
Home users, however, are typically more relaxed, eager to upgrade to the latest and “greatest” version of their preferred operating system.
I would certainly encourage users to upgrade to OS X Mavericks 10.9.2, but it’s always sensible to make a secure backup of your computer first, just in case…