[Macpartners] Apple Issues OS X Update to Address SSL Flaw

Andrew Munchbach amunch at MIT.EDU
Wed Feb 26 12:51:24 EST 2014 

Matt,

This is correct.  At the time of my original notice, Apple had not published the contents of "Security Update 2014-001" for 10.8 and 10.7 (it still hasn't) nor had it published the CVE entry for the SSL issue.  

The CVE entry for the SSL flaw is now live [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1266].  It lists affected systems as: "iOS 6.x before 6.1.6 and 7.x before 7.0.6, Apple TV 6.x before 6.0.2, and Apple OS X 10.9.x before 10.9.2."

Those are systems affected by the SSL flaw.  

When Apple does eventually publish the contents of "Security Update 2014-001" you will be able to find that information here: http://support.apple.com/kb/ht1222.

Currently, the only information available about "Security Update 2014-001" can be found:

Mountain Lion:http://support.apple.com/kb/DL1729
Lion: http://support.apple.com/kb/DL1727

I'm curious to know the contents of this update seeing as it was released at the exact same time as OS X 10.9.2.

Regards,
Andrew
--
Andrew Munchbach
Network Security Analyst
Massachusetts Institute of Technology
IS&T | Operations & Infrastructure | Security Operations
amunch at mit.edu
+1 (617) 324-4571

http://ist.mit.edu/secure


On Feb 26, 2014, at 12:36 PM, Matthew E Davies <medavies at mit.edu> wrote:

> Hi Andrew,
> 
> From what I can tell from chatter online and reviewing Apple's information page about the update, the specific SSL/TLS flaw only affected 10.9.0 and 10.9.1. Is that not correct?
> 
> Matt
> 
> ---
> Matthew Davies
> IT Consultant I
> DUE Desktop Support
> Room 12-102
> 617-253-9817
> medavies at mit.edu
> 
> On Feb 25, 2014, at 1:44 PM, Andrew Munchbach <amunch at MIT.EDU> wrote:
> 
>> Good Afternoon,
>> 
>> Apple has released a critical security updated for OS X Mavericks (10.9) and Mountain Lion (10.8) to address a flaw discovered in SSL/TLS. SSL (Secure Sockets Layer) is part of the TLS (Transport Layer Security) protocol and is used to encrypt sensitive information, often in a browser, as it traverses the Internet.
>> 
>> The flaw, as described by Apple, can provide "an attacker with a privileged network position [with the ability to] capture or modify data in sessions protected by SSL/TLS."
>> 
>> It is recommended that all OS X users update their machines as soon as possible.
>> 
>> Information on how to update OS X can be found on Apple's website [http://support.apple.com/kb/HT1338].
>> 
>> Those that need assistance updating OS X should contact their local IT support liaison or the IS&T Help Desk [http://ist.mit.edu/help].
>> 
>> A copy of this notice can be found in The Knowledge Base: http://kb.mit.edu/confluence/x/CEYYCQ
>> 
>> 
>> Regards,
>> Andrew
>> --
>> Andrew Munchbach
>> Network Security Analyst
>> Massachusetts Institute of Technology
>> IS&T | Operations & Infrastructure | Security Operations
>> security at mit.edu
>> 
>> http://ist.mit.edu/secure
>> 
>> 
>

More information about the Macpartners mailing list