OS X 10.9.2 Update: Fix for Mail Problems, SSL Security Flaw, & More

Feb 25, 2014 - 41 Comments

OS X 10.9.2 Update

Apple has released OS X 10.9.2, a fairly major update to OS X Mavericks that includes resolutions to many problems and bugs encountered by Mac users. Critically, the OS X 10.9.2 update patches the SSL / TSL vulnerability for Macs that was fixed earlier for mobile devices with the iOS 7.0.6 update. The SSL fix alone makes the 10.9.2 update a particularly important release that all Mac users running Mavericks should install as soon as possible.

The OS X Update 10.9.2 also resolves remaining issues with OS X Mail, including resolutions to new email retrieval from services like Gmail and Outlook, fixes the Mail Archive problems, and the bundled SMB fixes should solve some of the issues encountered within the Finder. Separately, some additional features have been added to OS X, including native FaceTime Audio support, FaceTime call waiting support, iMessage blocking, and a variety of other stability and performance improvements.

Download OS X 10.9.2

The simplest way for most users to download and update to OS X 10.9.2 is through the Mac App Store, accessible through the  Apple menu by choosing “Software Update”. The download will be found within the “Updates” tab of the application.

Download OS X 10.9.2 Update

Downloaded through the App Store, the OS X 10.9.2 update weighs in between 460MB and 800MB, depending on the Mac being installed on. The final build for OS X 10.9.2 is 13C64.

As always, start a Time Machine backup and let it complete before installing any system updates, it is unlikely something will go wrong but it’s always better to be safe than sorry.

Users who have multiple Macs that need updating may wish to install OS X 10.9.2 through a Combo Updater, which can be directly downloaded here from Apple or through thegeneral Support Downloads website.

OS X 10.9.2 Release Notes

The release notes bundled with the Mavericks 10.9.2 update are as follows. Notably, there is no specific mention of the SSL / TSL security bug or a fix for it for Macs, but we can confirm the SSL bug has been patched with the 10.9.2 final build.

  • Adds the ability to make and receive FaceTime Audio calls from OS X to OS X and to iOS
  • Adds call waiting support for FaceTime audio and video calls
  • Adds the ability to block incoming iMessages from individual senders
  • Includes general improvements to the stability and compatibility of Mail
  • Improves the accuracy of unread counts in Mail
  • Resolves an issue that prevented Mail from receiving new messages from certain providers
  • Improves AutoFill compatibility in Safari
  • Fixes an issue that may cause audio distortion on certain Macs
  • Improves reliability when connecting to a file server using SMB2
  • Fixes an issue that may cause VPN connections to disconnect
  • Improves VoiceOver navigation in Mail and Finder
  • Improves VoiceOver reliability when navigating websites
  • Improves compatibility with Gmail Archive mailboxes
  • Includes improvements to Gmail labels
  • Improves Safari browsing and Software Update installation when using an authenticated web proxy
  • Adds additional layers of awesomeness to OSXDaily.com readers who read release notes
  • Fixes an issue that could cause the Mac App Store to offer updates for apps that are already up to date
  • Improves the reliability of diskless NetBoot service in OS X Server
  • Fixes braille driver support for specific HandyTech displays
  • Resolves an issue when using Safe Boot with some systems 
  • Improves ExpressCard compatibility for some MacBook Pro 2010 models
  • Resolves an issue which prevented printing to printers shared by Windows XP
  • Resolves an issue with Keychain that could cause repeated prompts to unlock the Local Items keychain
  • Fixes an issue that could prevent certain preference panes from opening in System Preferences
  • Fixes an issue that may prevent migration from completing while in Setup Assistant

The complete security specific notes can be found here.

Additional Security Updates for OS X Mountain Lion & Lion Available Separately

Aside from the OS X Mavericks 10.9.2 update, there is a Security Update to OS X Mountain Lion and OS X Lion Security Update available for users who are continuing to run Macs with older versions of OS X. Those updates can also be found in the Mac App Store on those machines, or downloaded directly from Apple as available here Security Update 2014-001 (Mountain Lion) and Security Update 2014-001 (Lion).

As usual, it is generally recommended to install the latest version of OS X available to you.

Enjoy this tip? Subscribe to the OSXDaily newsletter to get more of our great Apple tips, tricks, and important news delivered to your inbox! Enter your email address below:

Related articles:

Posted by: Paul Horowitz in Mac OS X, News

41 Comments

» Comments RSS Feed

  1. DG says:

    …….Adds additional layers of awesomeness to OSXDaily.com readers who read release notes

    LOL!

  2. Ignite Mindz says:

    beat me to it DG. NERD!!! *wedgie and noogie

  3. Grey says:

    Please god let the Gmail-IMAP / Mail clusterflock be fixed. Not that I give a poo, personally, since I don’t use Gmail — but most of my clients do, at least until I talk them into acquiring a domain and saying Adios Motherflocker to Google.

    • Grey says:

      For the record: I did not say ‘clusterflock’ nor did I say ‘poo’, but I did use a strategic asterisk in a few places in the vain hope of placating the apparently-Victorian-era-censors over there. Forchrisake, we’re not on the Mike Huckabee show here. Or maybe we are.

      • Paul says:

        Hey Grey, I had to edit some of your colorful word choices to pass through our comment filters. In some situations, asterisks placed correctly work to get through, but usually it’s fairly restrictive. In general, we try to aim for a PG commenting thread since there are a very wide variety of readers here, but many of the filtering restrictions are aimed at anti-spam measures too.

        Anyway, thanks for reading and commenting, and let us know how updating to OS X 10.9.2 works out for you :)

    • Craig says:

      I’m still having the same old problem with Mail not getting new gmail. My main acct is @mac.com but I use gmail a lot too. This problem didn’t occur until Mavericks cam along. No problem with mac.com but with gmail the Get Mail button doesn’t get new mail, so have to completely close out of Mail and re-open. BTW, using os 19.9.2.

      Is anyone else still having this problem?

  4. SierraSunset says:

    Apple also released security patches for Lion and Mountain Lion. Does this mean the SSL bug is present in those versions as well?

    • pH says:

      That is correct. Though the issue focused on OS X Mavericks, OS X Lion and OS X Mountain Lion have separate patches because they are also vulnerable.

  5. p3t3r g4br13l says:

    Some may appreciate the more technical security notes from here:

    http://support.apple.com/kb/HT6150

    APPLE-SA-2014-02-25-1 OS X Mavericks 10.9.2 and Security Update
    2014-001

    OS X Mavericks 10.9.2 and Security Update 2014-001 is now available
    and addresses the following:

    Apache
    Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
    OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
    Impact: Multiple vulnerabilities in Apache
    Description: Multiple vulnerabilities existed in Apache, the most
    serious of which may lead to cross-site scripting. These issues were
    addressed by updating Apache to version 2.2.26.
    CVE-ID
    CVE-2013-1862
    CVE-2013-1896

    App Sandbox
    Available for: OS X Mountain Lion v10.8.5
    Impact: The App Sandbox may be bypassed
    Description: The LaunchServices interface for launching an
    application allowed sandboxed apps to specify the list of arguments
    passed to the new process. A compromised sandboxed application could
    abuse this to bypass the sandbox. This issue was addressed by
    preventing sandboxed applications from specifying arguments. This
    issue does not affect systems running OS X Mavericks 10.9 or later.
    CVE-ID
    CVE-2013-5179 : Friedrich Graeter of The Soulmen GbR

    ATS
    Available for: OS X Mountain Lion v10.8.5,
    OS X Mavericks 10.9 and 10.9.1
    Impact: Viewing or downloading a document containing a maliciously
    crafted embedded font may lead to arbitrary code execution
    Description: A memory corruption issue existed in the handling of
    handling of Type 1 fonts. This issue was addressed through improved
    bounds checking.
    CVE-ID
    CVE-2014-1254 : Felix Groebert of the Google Security Team

    ATS
    Available for: OS X Mavericks 10.9 and 10.9.1
    Impact: The App Sandbox may be bypassed
    Description: A memory corruption issue existed in the handling of
    Mach messages passed to ATS. This issue was addressed through
    improved bounds checking.
    CVE-ID
    CVE-2014-1262 : Meder Kydyraliev of the Google Security Team

    ATS
    Available for: OS X Mavericks 10.9 and 10.9.1
    Impact: The App Sandbox may be bypassed
    Description: An arbitrary free issue existed in the handling of Mach
    messages passed to ATS. This issue was addressed through additional
    validation of Mach messages.
    CVE-ID
    CVE-2014-1255 : Meder Kydyraliev of the Google Security Team

    ATS
    Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
    OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
    Impact: The App Sandbox may be bypassed
    Description: A buffer overflow issue existed in the handling of Mach
    messages passed to ATS. This issue was addressed by additional bounds
    checking.
    CVE-ID
    CVE-2014-1256 : Meder Kydyraliev of the Google Security Team

    Certificate Trust Policy
    Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
    OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
    Impact: Root certificates have been updated
    Description: The set of system root certificates has been updated.
    The complete list of recognized system roots may be viewed via the
    Keychain Access application.

    CFNetwork Cookies
    Available for: OS X Mountain Lion v10.8.5
    Impact: Session cookies may persist even after resetting Safari
    Description: Resetting Safari did not always delete session cookies
    until Safari was closed. This issue was addressed through improved
    handling of session cookies. This issue does not affect systems
    running OS X Mavericks 10.9 or later.
    CVE-ID
    CVE-2014-1257 : Rob Ansaldo of Amherst College, Graham Bennett

    CoreAnimation
    Available for: OS X Mountain Lion v10.8.5,
    OS X Mavericks 10.9 and 10.9.1
    Impact: Visiting a maliciously crafted site may lead to an
    unexpected application termination or arbitrary code execution
    Description: A heap buffer overflow existed in CoreAnimation’s
    handling of images. This issue was addressed through improved bounds
    checking.
    CVE-ID
    CVE-2014-1258 : Karl Smith of NCC Group

    CoreText
    Available for: OS X Mavericks 10.9 and 10.9.1
    Impact: Applications that use CoreText may be vulnerable to an
    unexpected application termination or arbitrary code execution
    Description: A signedness issue existed in CoreText in the handling
    of Unicode fonts. This issue is addressed through improved bounds
    checking.
    CVE-ID
    CVE-2014-1261 : Lucas Apa and Carlos Mario Penagos of IOActive Labs

    curl
    Available for: OS X Mavericks 10.9 and 10.9.1
    Impact: An attacker with a privileged network position may intercept
    user credentials or other sensitive information
    Description: When using curl to connect to an HTTPS URL containing
    an IP address, the IP address was not validated against the
    certificate. This issue does not affect systems prior to OS X
    Mavericks v10.9.
    CVE-ID
    CVE-2014-1263 : Roland Moriz of Moriz GmbH

    Data Security
    Available for: OS X Mavericks 10.9 and 10.9.1
    Impact: An attacker with a privileged network position may capture
    or modify data in sessions protected by SSL/TLS
    Description: Secure Transport failed to validate the authenticity of
    the connection. This issue was addressed by restoring missing
    validation steps.
    CVE-ID
    CVE-2014-1266

    Date and Time
    Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
    OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
    Impact: An unprivileged user may change the system clock
    Description: This update changes the behavior of the systemsetup
    command to require administrator privileges to change the system
    clock.
    CVE-ID
    CVE-2014-1265

    File Bookmark
    Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
    OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
    Impact: Viewing a file with a maliciously crafted name may lead to
    an unexpected application termination or arbitrary code execution
    Description: A buffer overflow existed in the handling of file
    names. This issue was addressed through improved bounds checking.
    CVE-ID
    CVE-2014-1259

    Finder
    Available for: OS X Mavericks 10.9 and 10.9.1
    Impact: Accessing a file’s ACL via Finder may lead to other users
    gaining unauthorized access to files
    Description: Accessing a file’s ACL via Finder may corrupt the ACLs
    on the file. This issue was addressed through improved handling of
    ACLs.
    CVE-ID
    CVE-2014-1264

    ImageIO
    Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
    OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
    Impact: Viewing a maliciously crafted JPEG file may lead to the
    disclosure of memory contents
    Description: An uninitialized memory access issue existed in
    libjpeg’s handling of JPEG markers, resulting in the disclosure of
    memory contents. This issue was addressed by better JPEG handling.
    CVE-ID
    CVE-2013-6629 : Michal Zalewski

    IOSerialFamily
    Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
    OS X Mountain Lion v10.8.5
    Impact: Executing a malicious application may result in arbitrary
    code execution within the kernel
    Description: An out of bounds array access existed in the
    IOSerialFamily driver. This issue was addressed through additional
    bounds checking. This issue does not affect systems running OS X
    Mavericks v10.9 or later.
    CVE-ID
    CVE-2013-5139 : @dent1zt

    LaunchServices
    Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
    OS X Mountain Lion v10.8.5
    Impact: A file could show the wrong extension
    Description: An issue existed in the handling of certain unicode
    characters that could allow filenames to show incorrect extensions.
    The issue was addressed by filtering unsafe unicode characters from
    display in filenames. This issue does not affect systems running OS X
    Mavericks v10.9 or later.
    CVE-ID
    CVE-2013-5178 : Jesse Ruderman of Mozilla Corporation, Stephane Sudre
    of Intego

    NVIDIA Drivers
    Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
    OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
    Impact: Executing a malicious application could result in arbitrary
    code execution within the graphics card
    Description: An issue existed that allowed writes to some trusted
    memory on the graphics card. This issue was addressed by removing the
    ability of the host to write to that memory.
    CVE-ID
    CVE-2013-5986 : Marcin Kościelnicki from the X.Org Foundation
    Nouveau project
    CVE-2013-5987 : Marcin Kościelnicki from the X.Org Foundation
    Nouveau project

    PHP
    Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
    OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
    Impact: Multiple vulnerabilities in PHP
    Description: Multiple vulnerabilities existed in PHP, the most
    serious of which may have led to arbitrary code execution. These
    issues were addressed by updating PHP to version 5.4.22 on OS X
    Mavericks v10.9, and 5.3.28 on OS X Lion and Mountain Lion.
    CVE-ID
    CVE-2013-4073
    CVE-2013-4113
    CVE-2013-4248
    CVE-2013-6420

    QuickLook
    Available for: OS X Mountain Lion v10.8.5
    Impact: Downloading a maliciously crafted Microsoft Office file may
    lead to an unexpected application termination or arbitrary code
    execution
    Description: A memory corruption issue existed in QuickLook’s
    handling of Microsoft Office files. Downloading a maliciously crafted
    Microsoft Office file may have led to an unexpected application
    termination or arbitrary code execution. This issue does not affect
    systems running OS X Mavericks 10.9 or later.
    CVE-ID
    CVE-2014-1260 : Felix Groebert of the Google Security Team

    QuickLook
    Available for: OS X Mountain Lion v10.8.5,
    OS X Mavericks 10.9 and 10.9.1
    Impact: Downloading a maliciously crafted Microsoft Word document
    may lead to an unexpected application termination or arbitrary code
    execution
    Description: A double free issue existed in QuickLook’s handling of
    Microsoft Word documents. This issue was addressed through improved
    memory management.
    CVE-ID
    CVE-2014-1252 : Felix Groebert of the Google Security Team

    QuickTime
    Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
    OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
    Impact: Playing a maliciously crafted movie file may lead to an
    unexpected application termination or arbitrary code execution
    Description: A buffer overflow existed in the handling of ‘ftab’
    atoms. This issue was addressed through improved bounds checking.
    CVE-ID
    CVE-2014-1246 : An anonymous researcher working with HP’s Zero Day
    Initiative

    QuickTime
    Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
    OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
    Impact: Playing a maliciously crafted movie file may lead to an
    unexpected application termination or arbitrary code execution
    Description: A memory corruption issue existed in the handling of
    ‘dref’ atoms. This issue was addressed through improved bounds
    checking.
    CVE-ID
    CVE-2014-1247 : Tom Gallagher & Paul Bates working with HP’s Zero Day
    Initiative

    QuickTime
    Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
    OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
    Impact: Playing a maliciously crafted movie file may lead to an
    unexpected application termination or arbitrary code execution
    Description: A buffer overflow existed in the handling of ‘ldat’
    atoms. This issue was addressed through improved bounds checking.
    CVE-ID
    CVE-2014-1248 : Jason Kratzer working with iDefense VCP

    QuickTime
    Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
    OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
    Impact: Viewing a maliciously crafted PSD image may lead to an
    unexpected application termination or arbitrary code execution
    Description: A buffer overflow existed in the handling of PSD
    images. This issue was addressed through improved bounds checking.
    CVE-ID
    CVE-2014-1249 : dragonltx of Tencent Security Team

    QuickTime
    Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
    OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
    Impact: Playing a maliciously crafted movie file may lead to an
    unexpected application termination or arbitrary code execution
    Description: An out of bounds byte swapping issue existed in the
    handling of ‘ttfo’ elements. This issue was addressed through
    improved bounds checking.
    CVE-ID
    CVE-2014-1250 : Jason Kratzer working with iDefense VCP

    QuickTime
    Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
    OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
    Impact: Playing a maliciously crafted movie file may lead to an
    unexpected application termination or arbitrary code execution
    Description: A signedness issue existed in the handling of ‘stsz’
    atoms. This issue was addressed through improved bounds checking.
    CVE-ID
    CVE-2014-1245 : Tom Gallagher & Paul Bates working with HP’s Zero Day
    Initiative

    Secure Transport
    Available for: OS X Mountain Lion v10.8.5
    Impact: An attacker may be able to decrypt data protected by SSL
    Description: There were known attacks on the confidentiality of SSL
    3.0 and TLS 1.0 when a cipher suite used a block cipher in CBC mode.
    To address these issues for applications using Secure Transport, the
    1-byte fragment mitigation was enabled by default for this
    configuration.
    CVE-ID
    CVE-2011-3389 : Juliano Rizzo and Thai Duong

    OS X Mavericks v10.9.2 includes the content of Safari 7.0.2.

    OS X Mavericks v10.9.2 and Security Update 2014-001 may be obtained from
    the Mac App Store or Apple’s Software Downloads web site:
    http://www.apple.com/support/downloads/

    • Brooklyn Geek says:

      Uh, I don’t mean to be a nitpick, but there’s really no need to repost the ENTIRE CONTENT OF THE PAGE YOU PROVIDED THE LINK FOR.

  6. punker661 says:

    graphic drivers nothing?

  7. Max says:

    Safari runs better.

    With Mavericks on my Spring 2009 Macbook, Safari would hang up and give me the beach ball frequently when I scrolled down a page. Something was hanging up or loading slowly.

    Today, with 10.9.2, scrolling down the page finally feels “friction-free.” No beach balls or delays.

  8. John says:

    FIX THE LABELS! Make the Finder able to use the label system in Mountain Lion and prior OSs.

    Sheesh.

  9. tom swift says:

    Software Update showed nothing for Snow Leopard.

  10. Adrian says:

    Now my Mac will not connect to inet. It shows wireless is connected but nothing.

  11. John says:

    Was the sleep/wake issue fixed in 10.9.2? I have a Macbook Pro, with this issue, even though I have read it was just Macbook Air?

    Coming out of sleep, I end up with display corruption and then an automatic reboot.

    Thanks

  12. Eithanius says:

    Boring…! It’s not gonna change the facts that Mavericks still sucks…!

    Snow Leopard FTW…!!!

  13. HipposRule says:

    Not showing as available on mine (10.9.1). Possibly as I’m in the UK?

  14. Doctor X says:

    “The OS X Update 10.9.2 also resolves remaining issues with OS X Mail”

    Not according to reviews on MacUpdate. More than a few are reporting the damn application continuously hangs and crashes.

    Will wait longer.

  15. Ben says:

    Mail is partially fixed, but not entirely. Mail inbox is still not in sync with gmail version (which is real).

  16. Kevin Roa says:

    Might kill your internal and external cams. Like it did to me.

    https://discussions.apple.com/thread/5939338?start=15&tstart=0

  17. Danny Byrd says:

    Mail is NOT fixed and it is NOT limited to GMAIL. It is limited to IMAP and the same problems still exist. Have to take all accounts offline and back on to start receiving mail again. Happens multiple times during the day. Just on IMAP accounts and I don’t use any Gmail.

  18. Nevin Williams says:

    It got rid of the annoying iPhoto warning about screen resolution, when running at 720p.

  19. eric says:

    After the update can no longer send emails anymore from my gmail / business account. Really really annoying.

    Why can’t the two gorillas on the block find a way to work together to make life for users easier.

    And obviously it is impossible to get through to a customer rep from either of the two companies.

  20. Steve Summers says:

    Q: I realize, after the update, one can go to Apple Menu>About this Mac and see the version, but is there any other way to determine that the update was installed successfully?
    -Thanks.

  21. Hendrik says:

    Thought the SMB2 might be more *reliable*, it’s still shockingly *S*L*O*O*O*W*W* as in 2-3MB/sec copying via Finder vs 50+MB/sec inside a VMWare Win7 VM inside the same laptop ;(

  22. Shilo Watts says:

    I can’t seem to be able to get the jailbreak working for the macs now.

    is possible to do i wonder?

Leave a Reply

 

Shop for Apple & Mac Deals on Amazon.com

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates