or Connect
AppleInsider › Forums › Software › Mac OS X › Apple releases OS X 10.9.2 with fix for SSL security flaw, plus new FaceTime Audio
New Posts  All Forums:Forum Nav:

Apple releases OS X 10.9.2 with fix for SSL security flaw, plus new FaceTime Audio

post #1 of 186
Thread Starter 
Apple on Tuesday released an incremental update for its Mavericks operating system, with OS X 10.9.2 addressing a critical SSL-related security flaw for Mac users, and also adding a handful of new features, most notably additions for FaceTime calls and iMessage user blocking.

OS X


The newly released update also gives users the ability to make and receive FaceTime audio calls. This functionality was previously limited to iOS devices.

With OS X 10.9.2, users also gain the ability to use call waiting when using FaceTime audio and video. Users on iMessages can also block incoming messages from individual senders.

As for the "goto fail" SSL bug, AppleInsider was first to report on Monday that Apple was providing its internal employees with a prerelease build that addresses the flaw. Such measures signal that the public release of a new OS X build is imminent.

The SSL security issue was also addressed in iOS 7.0.6, an update for the iPhone, iPad and iPod touch that was delivered late last week.

Additional features in the latest version of Mavericks, now available through Software Update on the OS X App Store, include:

  • Adds the ability to block incoming iMessages from individual senders
  • Improves the accuracy of unread counts in Mail
  • Resolves an issue that prevented Mail from receiving new messages from certain providers
  • Improves AutoFill compatibility in Safari
  • Fixes an issue that may cause audio distortion on certain Macs
  • Improves reliability when connecting to a file server using SMB2
  • Fixes an issue that may cause VPN connections to disconnect
  • Improves VoiceOver navigation in Mail and Finder
post #2 of 186

To update or not to update..in the middle of work day...that is the question.

post #3 of 186
More information can be found here: https://www.imperialviolet.org/2014/02/22/applebug.html
And yes, 'it's really that bad'.
post #4 of 186

Not at work so I updated. What's a safe site to test to make sure it works?

post #5 of 186
These point releases are getting increasingly boring - the Jaguar and Panther times were more interesting, I must say.
iMac Intel 27" Core i7 3.4, 16GB RAM, 120GB SSD + 1TB HD + 4TB RAID 1+0, Nuforce Icon HDP, OS X 10.9.1; iPad Air 64GB; iPhone 5 32GB; iPod Classic; iPod Nano 4G; Apple TV 2.
Reply
iMac Intel 27" Core i7 3.4, 16GB RAM, 120GB SSD + 1TB HD + 4TB RAID 1+0, Nuforce Icon HDP, OS X 10.9.1; iPad Air 64GB; iPhone 5 32GB; iPod Classic; iPod Nano 4G; Apple TV 2.
Reply
post #6 of 186
Quote:
Originally Posted by rob53 View Post

Not at work so I updated. What's a safe site to test to make sure it works?

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #7 of 186
Originally Posted by knowitall View Post
And yes, 'it's really that bad'.

 

Except it isn’t. Because they just patched it.

Originally Posted by Marvin

The only thing more insecure than Android’s OS is its userbase.
Reply

Originally Posted by Marvin

The only thing more insecure than Android’s OS is its userbase.
Reply
post #8 of 186
Quote:
Originally Posted by Tallest Skil View Post

Except it isn’t. Because they just patched it.

You should know better than that (read the link I posted).
post #9 of 186
Quote:
Originally Posted by SolipsismX View Post
 

Thanks. I am now Safe.

 

post #10 of 186
Originally Posted by knowitall View Post
You should know better than that (read the link I posted).

 

So where in the link does it say 10.9.2 is still affected?

Originally Posted by Marvin

The only thing more insecure than Android’s OS is its userbase.
Reply

Originally Posted by Marvin

The only thing more insecure than Android’s OS is its userbase.
Reply
post #11 of 186
Quote:
Originally Posted by brlawyer View Post

These point releases are getting increasingly boring - the Jaguar and Panther times were more interesting, I must say.

 

I hear ya.  That's why for entertainment I go see a movie or a show nowadays.

post #12 of 186
Quote:
Originally Posted by Tallest Skil View Post
 

 

Except it isn’t. Because they just patched it.

Originally Posted by knowitall View Post


You should know better than that (read the link I posted).

Actually he does because it was an easy fix and it now works properly. If you actually know everything (vs being know it all who knows nothing) then why didn't you find it first????

post #13 of 186
Quote:
Originally Posted by pmz View Post

To update or not to update..in the middle of work day...that is the question.

Updated ... All is fine, so far ...
"Swift generally gets you to the right way much quicker." - auxio -

"The perfect [birth]day -- A little playtime, a good poop, and a long nap." - Tomato Greeting Cards -
Reply
"Swift generally gets you to the right way much quicker." - auxio -

"The perfect [birth]day -- A little playtime, a good poop, and a long nap." - Tomato Greeting Cards -
Reply
post #14 of 186
Quote:
Originally Posted by rob53 View Post

Thanks. I am now Safe.



Did you change your iTunes/iCloud password? What about every other password for every other account that may have passed through Safari, Mail, Calendar, Notes, iCloud documents for various Mac and iOS apps, etc.?

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #15 of 186

Awww, they fixed the Gotofail bug.  Now what will all these poor click-whoring bloggers and stock manipulators have to get their panties all bunched up for now?

post #16 of 186
Quote:
Originally Posted by tundraboy View Post

Quote:
Originally Posted by brlawyer View Post

These point releases are getting increasingly boring - the Jaguar and Panther times were more interesting, I must say.

I hear ya.  That's why for entertainment I go see a movie or a show nowadays.

Only took about 15 min. end-to-end on my 2012 iMac.
"Swift generally gets you to the right way much quicker." - auxio -

"The perfect [birth]day -- A little playtime, a good poop, and a long nap." - Tomato Greeting Cards -
Reply
"Swift generally gets you to the right way much quicker." - auxio -

"The perfect [birth]day -- A little playtime, a good poop, and a long nap." - Tomato Greeting Cards -
Reply
post #17 of 186
Quote:
Originally Posted by Tallest Skil View Post

So where in the link does it say 10.9.2 is still affected?

Struisvogelpolitiek won't get you (and Apple) anywhere.
Face the facts.
post #18 of 186
Quote:
Originally Posted by Dick Applebaum View Post


Only took about 15 min. end-to-end on my 2012 iMac.

 

About the same here. Two automatic restarts and an iTunes account login request for iCloud.

Proud AAPL stock owner.

 

GOA

Reply

Proud AAPL stock owner.

 

GOA

Reply
post #19 of 186
Quote:
Originally Posted by Tallest Skil View Post

Except it isn’t. Because they just patched it.

They patched it but remember that everything you may have sent via for the last 18 months can now be easily read by anyone that may have captured your data. It's not just public WiFI hotspots you need to consider. In fact, I'd say that is the least likely threat to your privacy you are bound to experience from this security bug. Again, I recommend everyone at least change their iTunes/iCloud password.

Quote:
Originally Posted by Dick Applebaum View Post

Updated ... All is fine, so far ...

Unfortunately we all thought everything was fine up until late last week. 1biggrin.gif

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #20 of 186
Quote:
Originally Posted by pmz View Post
 

To update or not to update..in the middle of work day...that is the question.

No question at all. Don’t update in the middle of the work day, period. Don’t temp fate or the binary demons.

post #21 of 186
Quote:
Originally Posted by rob53 View Post

Actually he does because it was an easy fix and it now works properly. If you actually know everything (vs being know it all who knows nothing) then why didn't you find it first????

You seem to have a very simplistic world view. The fact that it is easy to fix has no relation to the severity of the security breach.
What about the months that have gone by while this bug was in place?
post #22 of 186
Quote:
Originally Posted by SolipsismX View Post

Quote:
Originally Posted by Tallest Skil View Post

Except it isn’t. Because they just patched it.

They patched it but remember that everything you may have sent via for the last 18 months can now be easily read by anyone that may have captured your data. It's not just public WiFI hotspots you need to consider. In fact, I'd say that is the least likely threat to your privacy you are bound to experience from this security bug. Again, I recommend everyone at least change their iTunes/iCloud password.

Quote:
Originally Posted by Dick Applebaum View Post

Updated ... All is fine, so far ...

Unfortunately we all thought everything was fine up until late last week. 1biggrin.gif

Yeah, but the way I understand it you had to be on the same WiFi network as the hacker. We change our passwords once a month -- and very seldom use 'public' WiFi networks.
"Swift generally gets you to the right way much quicker." - auxio -

"The perfect [birth]day -- A little playtime, a good poop, and a long nap." - Tomato Greeting Cards -
Reply
"Swift generally gets you to the right way much quicker." - auxio -

"The perfect [birth]day -- A little playtime, a good poop, and a long nap." - Tomato Greeting Cards -
Reply
post #23 of 186
Quote:
Originally Posted by SolipsismX View Post

They patched it but remember that everything you may have sent via for the last 18 months can now be easily read by anyone that may have captured your data. It's not just public WiFI hotspots you need to consider. In fact, I'd say that is the least likely threat to your privacy you are bound to experience from this security bug. Again, I recommend everyone at least change their iTunes/iCloud password.
Unfortunately we all thought everything was fine up until late last week. 1biggrin.gif
If wifi hotspots aren't a concern, then what things are (or were)?

And if someone has my info, why bother waiting for me to change my passwords? Why not use that info right away before I know what's happened?
post #24 of 186
Originally Posted by knowitall View Post
Face the facts.

 

Fact 1: The bug is patched.

Fact 2: It is already not a problem, unlike what he claimed.

Fact 3: You’re missing something here.

 

Originally Posted by SolipsismX View Post
may have captured

 

I’m not worried. Virtually the only data “captured” will have been between the discovery of the bug and this morning.

Originally Posted by Marvin

The only thing more insecure than Android’s OS is its userbase.
Reply

Originally Posted by Marvin

The only thing more insecure than Android’s OS is its userbase.
Reply
post #25 of 186
Quote:
Originally Posted by Sporlo View Post

If wifi hotspots aren't a concern, then what things are (or were)?

And if someone has my info, why bother waiting for me to change my passwords? Why not use that info right away before I know what's happened?

From what I understand any potential website configured in the right way could have breached the security of your system (https://www.imperialviolet.org/2014/02/22/applebug.html) hence the sites to test your security. It's also possible that a regular website like Google.com for example is infected with invisible links and a 'redirect' causes a security breach.

And yes, it could very well be that your info is used already.
post #26 of 186
Quote:
Originally Posted by Dick Applebaum View Post

Yeah, but the way I understand it you had to be on the same WiFi network as the hacker. We change our passwords once a month -- and very seldom use 'public' WiFi networks.
Quote:
Originally Posted by Sporlo View Post

If wifi hotspots aren't a concern, then what things are (or were)?

And if someone has my info, why bother waiting for me to change my passwords? Why not use that info right away before I know what's happened?

Your SSL encapsulated data isn't repackaged once you get to the first router at a public hotspot. The secure socket layer is established between your device and the server. Anyone with access via the local network via an unsecured WiFi, a secured WiFi network or ethernet, or from any of the many ISPs involved via a less than honest ISP, less than honest persona with access to the ISP, the NSA, etc. could have access to data you sent up 18 months ago. Even if they dumped the data to a drive they could go back looking for private data — which you can't help —  but you can change your password to prevent them from having access to your account(s) in the future.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #27 of 186
This is bogus! My Mail count is still not working! I have a Google Apps, Gmail, and iCloud account setup in Mail. I get an unread count in the corresponding Archive folder, but not in the Inbox folder. Therefore, I do not get a badge count on the dock. Why is this still not working?!
post #28 of 186
Quote:
Originally Posted by Tallest Skil View Post

I’m not worried. Virtually the only data “captured” will have been between the discovery of the bug and this morning.

1) I'm sure I have a few GiB of data packets I captured last year from doing security checks that I failed to delete. If I were so inclined I could get some private info, including passwords.

2) You weren't worried a week ago when this bug didn't exist. By exist I mean when you learned of it. When did others learn of it? When did the NSA learn of it? I say better to be safe than sorry, especially when it only takes a moment to change a password.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #29 of 186
Quote:
Originally Posted by Tallest Skil View Post
Quote:
Originally Posted by Tallest Skil View Post
 

 

Except it isn’t. Because they just patched it.

 

Except it isn’t. Because they just patched it.

 

 

Quote:
Originally Posted by knowitall View Post
Quote:
 Originally Posted by Tallest Skil View Post

 

Except it isn’t. Because they just patched it.

You should know better than that (read the link I posted).

we did read it.  2 days ago.   You're 

 

It's bad in a macro sense. but that horse left via the open gate a long time ago.  Update when you can, but it's not like your system will be taken over in the next 15 minutes if you don't (well, unless you're in some really bad part of the Internet at the moment).

 

And you're advice is really short sighted. The patch is the first step... in practice now every password has to be changed whereever you thought it  passed directly to a site via SSL/TLS.  (every bank, every email, every router you manage, every firewall, your twitters, your facespaces).   Putting this patch in does very little.  The hard work is changing every secret you thought had a reasonable semblance of network security via SSL/TLS.

 

In reality if you practised good network hygiene (never connected to a net that was untrustworthy.. e.g. stayed on your well managed home or work networks... and stayed out of internet cafe's in Russia and Thailand, maintained a tight list of wireless networks you allowed auto-connection to, etc),  never clicked on links in email, or ads, and/or have a reasonable set of content controls in place (using url reputation services, like OpenDNS, Bluecoat, ZScaler and ad blocking stuff (adblock-plus) in browsers), your risk was minimal, unless you were targetted by the NSA, and contrary to popular belief, most aren't.

 

So in the end, TS's advise, while cryptic, is apt to the vast majority of people here... Patch when you can,

post #30 of 186
If it fixes the gmail mess, that is damn exciting.
post #31 of 186
Quote:
Originally Posted by Tallest Skil View Post

...
I’m not worried. Virtually the only data “captured” will have been between the discovery of the bug and this morning.

Your right that's exactly the point, and when do you think the bug is discovered? And by whom?
Or is it discovered multiple times by different persons who used it to steal data? Do you know that?
post #32 of 186
Is very unlikely that anybody has been compromised however you should always change your password every six months
And be very wary when accessing a public network
post #33 of 186
Quote:
Originally Posted by DustinLH00 View Post

This is bogus! My Mail count is still not working! I have a Google Apps, Gmail, and iCloud account setup in Mail. I get an unread count in the corresponding Archive folder, but not in the Inbox folder. Therefore, I do not get a badge count on the dock. Why is this still not working?!

Have you tried changing this setting?

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #34 of 186
Quote:
Originally Posted by TheOtherGeoff View Post


we did read it.  2 days ago.   You're 

It's bad in a macro sense. but that horse left via the open gate a long time ago.  Update when you can, but it's not like your system will be taken over in the next 15 minutes if you don't (well, unless you're in some really bad part of the Internet at the moment).

And you're advice is really short sighted. The patch is the first step... in practice now every password has to be changed whereever you thought it  passed directly to a site via SSL/TLS.  (every bank, every email, every router you manage, every firewall, your twitters, your facespaces).   Putting this patch in does very little.  The hard work is changing every secret you thought had a reasonable semblance of network security via SSL/TLS.

In reality if you practised good network hygiene (never connected to a net that was untrustworthy.. e.g. stayed on your well managed home or work networks... and stayed out of internet cafe's in Russia and Thailand, maintained a tight list of wireless networks you allowed auto-connection to, etc),  never clicked on links in email, or ads, and/or have a reasonable set of content controls in place (using url reputation services, like OpenDNS, Bluecoat, ZScaler and ad blocking stuff (adblock-plus) in browsers), your risk was minimal, unless you were targetted by the NSA, and contrary to popular belief, most aren't.

So in the end, TS's advise, while cryptic, is apt to the vast majority of people here... Patch when you can,

You seem to confuse two persons.
But your wrong, even good network hygiene won't save you if your unlucky (see my other post).
post #35 of 186
Quote:
Originally Posted by SolipsismX View Post


Have you tried changing this setting?

 

Mine is set to "Inbox Only". If I switch it to "All Mailboxes" I get an unread count in the dock, but that includes unread in trash and elsewhere. When I look at the inboxes within Mail, only iCloud ever shows an unread count next to the box and therefore the dock. Gmail and GApps do not show the unread count even though there are unread messages in the inbox.

post #36 of 186
Quote:
Originally Posted by knowitall View Post


You should know better than that (read the link I posted).

 

I don't think you understand dates and spans of time. Ya see, the link you posted was the explanation of the SSL exploit as provided by Adam Langley on February 22nd whereas the 10.9.2 update containing a fix for that bug was released on February 25th. Perhaps you can now understand what's going on.

post #37 of 186
Quote:
Originally Posted by DustinLH00 View Post

Mine is set to "Inbox Only". If I switch it to "All Mailboxes" I get an unread count in the dock, but that includes unread in trash and elsewhere. When I look at the inboxes within Mail, only iCloud ever shows an unread count next to the box and therefore the dock. Gmail and GApps do not show the unread count even though there are unread messages in the inbox.

In that case I suggest you search for a solution at the link below. And if you can't find one then sign up and state your issue in great detail.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #38 of 186

This was, by all accounts, the most serious breach in the history of computing. Therefore the fix should be the single greatest update ever done in the history of computing.

 

I wonder if as much attention will be paid to the fix as to the doomsayers claiming this was such huge security flaw?

 

What I really like is how many talk about how this was such a big deal, yet nobody can produce a list of all the victims. Where are they? Where are the countless people who have had money taken from their bank, charges of their credit cards or iTunes accounts compromised?

post #39 of 186
Quote:
Originally Posted by Emes View Post

I remember the old days when Apple ads used to claim their OS was infallible.

Can you post link to at least one of those ads?

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #40 of 186
Quote:
Originally Posted by EricTheHalfBee View Post
 

This was, by all accounts, the most serious breach in the history of computing. Therefore the fix should be the single greatest update ever done in the history of computing.

 

I wonder if as much attention will be paid to the fix as to the doomsayers claiming this was such huge security flaw?

 

What I really like is how many talk about how this was such a big deal, yet nobody can produce a list of all the victims. Where are they? Where are the countless people who have had money taken from their bank, charges of their credit cards or iTunes accounts compromised?

 

It wasn't a breach. It was a flaw that was discovered and corrected.

Proud AAPL stock owner.

 

GOA

Reply

Proud AAPL stock owner.

 

GOA

Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › Apple releases OS X 10.9.2 with fix for SSL security flaw, plus new FaceTime Audio