Visiting one of the many test sites for the “goto fail” bug in Safari in OS X 10.9.2 confirms that the problem has been fixed.

Andrew Cunningham

After several months of testing, Apple has released OS X version 10.9.2 to the general public. In addition to the typical laundry list of updates and security fixes, the second major update to Mavericks fixes the “goto fail” SSL/TLS bug that Apple patched in iOS 7 on Friday.

The SSL bug isn’t mentioned in the release notes that appear in Software Update, but the bug is mentioned on Apple’s security page for 10.9.2. We were also able to confirm the fix by visiting several goto fail test sites in Safari after applying the update. Security updates for Mountain Lion and Lion have been provided as well, but previous versions of OS X were never affected by the goto fail bug in the first place—those patches will fix other problems, but users won’t need to worry about the goto fail bug either way.
Apple has been criticized by members of the security community for patching the iOS flaw without providing a fix for OS X. iOS 7.0.6 was taken apart within hours of its release, demonstrating the bug to anyone who cared to look for it and leaving the unpatched OS X exposed for four days. Mac users could avoid having their communications exposed by avoiding Safari and Mail.app in favor of other applications, but any applications that use OS X’s SSL implementation were still unsafe.

As of this writing, working proof-of-concept attacks that exploit the bug have already appeared.
Since news of the goto fail bug broke on Friday, some people have noted the apparent irony of relying on Apple-implemented encryption to download a fix for a critical iOS and Mac crypto bug.

Fortunately, those concerns turned out to be misplaced, since goto fail does nothing to break the code signing protections Apple uses to ensure only authentic updates get installed.

Leave a Reply