Apple patches Secure Transport, but not because of Heartbleed
- 23 April, 2014 06:13
Apple today issued a security-only update for OS X, patching 25 vulnerabilities in Mavericks, its newest operating system, and 7 bugs in older editions.
Tuesday's Security Update 2014-002 was unusual in that it patched numerous flaws but was not accompanied by a non-security refresh of Mavericks, as is Apple's custom in its support of the current Mac OS.
Along with the two-dozen-plus-one patches for Mavericks, the update also addressed two bugs in Lion and seven in Mountain Lion, the precursors to Mavericks which shipped in 2011 and 2012, respectively.
Apple has stopped shipping security updates for OS X Snow Leopard, the 2009 edition that powered 17% of all Macs last month.
Security Update 2014-002 contained patches for several run-of-the-mill vulnerabilities, a font parsing bug while viewing malformed PDFs here, an circumvention of the kernel's ASLR (Address Space Layout Randomization) anti-exploit defenses there, but the one that immediately stuck out was tagged as CVE-2014-1295.
"An attacker with a privileged network position may capture data or change the operations performed in sessions protected by SSL," read Apple's advisory for CVE-2014-1295, referring to Secure Sockets Layer, one of the standard means of encrypting Internet traffic between clients and site servers.
Although the vulnerability wasn't associated with the Heartbleed exploit -- the flaw in OpenSSL that has made headlines for the two weeks -- the mere mention of "SSL" in Apple's advisory was enough to instantly put the bug in the limelight.
Apple credited a trio of researchers with reporting the vulnerability -- Antoine Delignat-Lavaud, Karthikeyan Bhargavan and Alfredo Pironti -- who work with the Prosecco research team, which specializes in cryptography and is part of INRIA Paris-Rocquencourt, a national research center in France.
The three presented a paper on the flaw at a meeting of the Internet Engineering Task Force (IETF) last month.
"In a 'triple handshake' attack, it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker's data in one connection, and renegotiate so that the connections may be forwarded to each other," Apple conceded.
The Cupertino, Calif. company patched its Secure Transport -- Apple's name for its implementation of SSL and TLS (Transport Layer Security) -- in Mavericks and Mountain Lion. The bug did not affect Lion and earlier editions of the Mac operating system.
In a separate update, Apple also patched iOS's implementation of Secure Transport with iOS 7.1.1. The update fixed a number of other flaws, most of them in WebKit, the open-source browser engine that powers Safari.
Security Update 2014-002, an 80MB download for Mavericks, can be retrieved by selecting "Software Update..." from the Apple menu, or by opening the Mac App Store application and clicking the Update icon at the top right.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is firstname.lastname@example.org.
Read more about mac os x in Computerworld's Mac OS X Topic Center.