Has goto fail been fixed yet?


On Feb. 25, 2014, 93 hours after patching the bug on iOS, Apple finally released
a security update for OS X. The release notes for the OS X Mavericks v10.9.2
update do not mention a patch for the SSL/TLS bug, but another set of notes contain
information about the security content of 10.9.2 and Security Update 2014-001.

On Feb. 21, 2014, Apple pushed a security update for iOS to patch a bug in its
implementation of SSL/TLS. Without the security update, an attacker could easily listen in
while you send emails, update your calendar, tweet, use Facebook, or check your bank
account on a shared network, such as a public WiFi at a library or coffee shop.

Apple did not say how long the bug has been around for, but it was likely introduced
somewhere between iOS 6.0.0 (released Sept. 2012) and 6.1.3 (released Mar. 2013).

Researchers have determined that the bug also affects OS X 10.9, including apps such as
FaceTime, Mail, and Software Update. Apple has promised to release a fix "very soon."

The code containing Apple's goto fail bug is available on opensource.apple.com. As always,
Adam Langley has a great technical writeup on this issue.