Apple Releases OS X 10.9.3, Fixes Serious Flaw in iTunes

Apple has released a new version of OS X Mavericks, which includes all of the security fixes it pushed out last month. OS X 10.9.3 includes the patches for the so-called triple handshake SSL vulnerability, as well as fixes for several remote code-execution vulnerabilities. The company also released a patch for iTunes that fixes a problem that allows attackers to steal users’ iTunes credentials.

In April, Apple patched a number of vulnerabilities in OS X that allowed an attacker to run arbitrary code on vulnerable machines. The patch release also included a fix for an issue in the SSL implementation in OS X that gave an attacker the ability to intercept SSL-protected traffic in some circumstances.

“In a ‘triple handshake’ attack, it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker’s data in one connection, and renegotiate so that the connections may be forwarded to each other,” the Apple advisory says.

These fixes were pushed out as a security update in late April, but Apple has now released them as part of OS X 10.9.3, which also contains some new features and stability fixes.

The release of iTunes 11.2 includes a single security fix, but it’s an important one. The vulnerability Apple patched in the latest version of its multimedia application could enable an attacker to steal a user’s credentials in some cases.

‘Set-Cookie HTTP headers would be processed even if the connection closed before the header line was complete. An attacker could strip security settings from the cookie by forcing the connection to close before the security settings were sent, and then obtain the value of the unprotected cookie. This issue was addressed by ignoring incomplete HTTP header lines,” the Apple advisory says.

Provided from: threatpost.