Four days in and still no patch for critical “goto fail” bug in OS X (updated)

Update: Shortly after this brief went live, Apple released OS X version 10.9.2, which finally patches the critical "goto fail" bug.

It has been four days since Mac users began learning of a critical vulnerability in the latest version of OS X that gives attackers an easy way to surreptitiously circumvent the most widely used technology for preventing Internet eavesdropping. Three days ago, Apple told Reuters that it plans to release a patch "very soon," but it didn't elaborate on the details.

If it wasn't clear before, it should be painfully obvious now. The security and privacy of millions of Mavericks users depend on a patch becoming available soon. The vulnerability is taking on renewed urgency given the increasing availability of proof-of-concept code that exploits it. On Tuesday, security consultant Aldo Cortesi was the latest to create working attack code that targets the bug. Other public sites that do much the same thing include and this test page, which is signed with a key that doesn't match the underlying transport layer security certificate. The proliferation of code makes life easier for less-skilled hackers who may want to exploit the vulnerability maliciously.

Read 4 remaining paragraphs | Comments