Apple SSL Bug In iOS Also Affects OS X

Trailrunner7 writes "The certificate-validation vulnerability that Apple patched in iOS yesterday also affects Mac OS X up to 10.9.1, the current version. Several security researchers analyzed the patch and looked at the code in question in OS X and found that the same error exists there as in iOS. Researcher Adam Langley did an analysis of the vulnerable code in OS X and said that the issue lies in the way that the code handles a pair of failures in a row. The bug affects the signature verification process in such a way that a server could send a valid certificate chain to the client and not have to sign the handshake at all, Langley found. Some users are reporting that Apple is rolling out a patch for his vulnerability in OS X, but it has not shown up for all users as yet. Langley has published a test site that will show OS X users whether their machines are vulnerable."

Re:Lets see how far back...

[zippthorne]

So that they wouldn't be affected by bugs in OpenSSL?

The idea that it's a bad idea to roll your own security features because you're probably not a security expert is not something that is necessarily applicable to an organization as large as Apple, which can certainly afford to employ as many security researchers as it needs to to match the security knowledge of other common security tool organizations.

Further, a world in which there is only one (hopefully well-researched) implementation of critical security software also has drawbacks, as any errors in that software will affect everyone.