Updates Available for OS X SSL Vulnerability (2/25/2014)
On February 25, 2014, Apple released OS X Mavericks version 10.9.2 to address a serious SSL vulnerability uncovered the previous week. This update is related to another update released February 21, 2014 for a serious SSL vulnerability in iOS versions 6 and 7. Information Systems & Computing (ISC) strongly recommends that all OS X Mavericks users upgrade to version 10.9.2 immediately.
The update is available for all Macs capable of running OS X Mavericks.
The version of OS X can be checked by selecting About This Mac from the Apple menu. To update, from the Apple menu select Software Update …, and update to 10.9.2. ISC advises backing up OS X systems prior to installing any OS X update.
The vulnerability is an apparently errant line in Apple’s “Secure Transport” API that causes signature verification to never fail. This allows unchecked attackers to impersonate “trusted” servers and intercept and decrypt communications at will. OS X 10.8 Mountain Lion and earlier versions of OS X do not seem to have the vulnerability.