Apple SSL Bug In iOS Also Affects OS X

Trailrunner7 writes "The certificate-validation vulnerability that Apple patched in iOS yesterday also affects Mac OS X up to 10.9.1, the current version. Several security researchers analyzed the patch and looked at the code in question in OS X and found that the same error exists there as in iOS. Researcher Adam Langley did an analysis of the vulnerable code in OS X and said that the issue lies in the way that the code handles a pair of failures in a row. The bug affects the signature verification process in such a way that a server could send a valid certificate chain to the client and not have to sign the handshake at all, Langley found. Some users are reporting that Apple is rolling out a patch for his vulnerability in OS X, but it has not shown up for all users as yet. Langley has published a test site that will show OS X users whether their machines are vulnerable."

Informative discussion thread

[MisterSquid]

Over at MetaFilter, there's a pretty informative thread calling out these parts among others.

• iOS 6 users with iOS 7-capable devices will be given the latest iOS 7.
• iOS 6 users without iOS 7-capable devices will be given the latest iOS 6
• Mac OS X users pre-Mavericks (10.9) are OK.
• Mac OS X Mavericks users should avoid using Safari.
• You can visit this link to see if your device/browser is affected.