Apple patches OS X security hole

Apple today released an update for OS X that includes a fix for the same severe security hole that recently forced it to issue an emergency patch for its iOS mobile operating system.

The hole meant attackers could bypass Secure Sockets Layer/Transport Layer Security (SSL/TLS) authentication and encryption, leaving users' communications open to interception on shared networks.

The SSL/TLS bug fix is listed under a separate Apple Support Knowledge Base, under the Data Security heading, rather than in the OS X 10.9.2 update bundle.

Apple said the impact of the bug meant an attacker with a privileged network position may "capture or modify data in sessions protected by SSL/TLS".

Apple addressed the issue by restoring missing validation steps, it said.

A relatively small coding mistake led to part of the validation code being unreachable, allowing attackers to bypass SSL/TLS authentication completely and listen in on and modify victims' traffic over connections thought to be secured.

Bundled OS X applications such as the Safari web browser, Calendar, Reminders and the Apple Mail email client use the SSL/TLS code to set up authenticated and encrypted connections, and were vulnerable to interception before today's patch.

Users' iCloud data, KeyChain password enrolment and updates, Find My Mac updates and traffic for applications like Twitter are also vulnerable, as is Apple's Software Update, according to security consultant Aldo Cortesi, who tested the extent of the security hole.

While it's not known how long the bug has existed in OS X, the problem has been discovered in older versions of iOS, going back to 6.1.

The OS X 10.9.2 update has a total of 29 security fixes for the operating system and bundled applications. it also contains several system bug fixes and improvements, including the ability to make and receive FaceTime audio and video calls in OS X for the first time.

Apple was approached last week for comment by iTnews but has not responded.