SektionEins released a quick and dirty experimental fix for this vulnerability.

The Vulnerability Yesterday Apple released iOS 7.0.6 and iOS 6.1.6. Both fix a serious security flaw (CVE-2014-1266) in the SSL handling code inside the Security.framework. The flaw is very serious because it totally compromises the security of SSL and allows for man in the middle attack on otherwise secure SSL connections without any warning on the client side. Unfortunately it has been discovered that this vulnerability is also present in OSX Mavericks. When you look at the following code snippet that is taken from Security.framework's sslKeyExchange.c you can spot a superfluous "goto fail;" statement. This statement is executed in all cases and completely bypasses the call to sslRawVerify. This means there is actually no verification performed on the signed server key exchange. static OSStatus SSLVerifySignedServerKeyExchange ( SSLContext * ctx , bool isRsa , SSLBuffer signedParams , uint8_t * signature , UInt16 signatureLen ) { ... if (( err = ReadyHash ( & SSLHashSHA1 , & hashCtx )) != 0 ) goto fail ; if (( err = SSLHashSHA1 . update ( & hashCtx , & clientRandom )) != 0 ) goto fail ; if (( err = SSLHashSHA1 . update ( & hashCtx , & serverRandom )) != 0 ) goto fail ; if (( err = SSLHashSHA1 . update ( & hashCtx , & signedParams )) != 0 ) goto fail ; goto fail ; <---- *** DANGER *** if (( err = SSLHashSHA1 . final ( & hashCtx , & hashOut )) != 0 ) goto fail ; err = sslRawVerify ( ctx , ctx -> peerPubKey , dataToSign , /* plaintext */ dataToSignLen , /* plaintext length */ signature , signatureLen ); ... fail : SSLFreeBuffer ( & signedHashes ); SSLFreeBuffer ( & hashCtx ); return err ; } You can read more information about this vulnerability over at ImperialViolet.

The Patch Because Apple decided to just release updates for iOS and leave OSX Mavericks users vulnerable over a weekend, we have looked into this issue and created a little binary patch that fixes this vulnerability by re-adding the removed code. This is of course just a quick and dirty solution to test the impact of this vulnerability. You should not attempt to run this on production systems. And don't forget that we only patch the 64bit version of the Security.framework. If your code is 32bit you have to port the fix to 32bit. .text # # This is the original code inside the Security.framework binary # #__text:0000000000086C3B lea r15, _SSLHashSHA1 #__text:0000000000086C42 lea rsi, [rbp+var_C8] #__text:0000000000086C49 mov rdi, r15 #__text:0000000000086C4C call _ReadyHash #__text:0000000000086C51 mov ebx, eax #__text:0000000000086C53 test ebx, ebx #__text:0000000000086C55 jnz short loc_86C9C #__text:0000000000086C57 mov r14, [r15+18h] #__text:0000000000086C5B lea rdi, [rbp+var_C8] #__text:0000000000086C62 lea rsi, [rbp+var_D8] #__text:0000000000086C69 call r14 #__text:0000000000086C6C mov ebx, eax #__text:0000000000086C6E test ebx, ebx #__text:0000000000086C70 jnz short loc_86C9C #__text:0000000000086C72 lea rdi, [rbp+var_C8] #__text:0000000000086C79 lea rsi, [rbp+var_E8] #__text:0000000000086C80 call r14 #__text:0000000000086C83 mov ebx, eax #__text:0000000000086C85 test ebx, ebx #__text:0000000000086C87 jnz short loc_86C9C #__text:0000000000086C89 lea rdi, [rbp+var_C8] #__text:0000000000086C90 lea rsi, [rbp+var_A8] #__text:0000000000086C97 call r14 #__text:0000000000086C9A mov ebx, eax # we insert the hook at 0x86c90 lea - 0xa8 ( %rbp ), %rsi # signedParams call * %r14 # SSLHashSHA1.update mov %eax , %ebx test %ebx , %ebx jnz 1 f lea - 0xc8 ( %rbp ), %rdi # hashCtx lea - 0xb8 ( %rbp ), %rsi # hashOut call * 0x20 ( %r15 ) # SSLHashSHA1.final mov %eax , %ebx test %ebx , %ebx jnz 1 f mov - 0x1e0 ( %rbp ), %r8 # signature xor %rsi , %rsi inc %rsi inc %rsi mov %r8 , %rdi sub %rsi , %rdi call _SSLDecodeInt cwde cdqe mov %rax , %r9 # signatureLen mov %r12 , %rdi # ctx mov + 0x78 ( %rdi ), %rsi # ctx->peerPubKey mov - 0xb0 ( %rbp ), %rdx # dataToSign from hashOut.data mov $20 , %rcx # SSL_SHA1_DIGEST_LEN cmpb $0 , - 0x1a8 ( %rbp ) # isRsa jz 2 f sub $16 , %rdx # Need MD5 so pos-SSL_MD5_DIGEST_LEN mov $36 , %rcx # dataToSignLen = SSL_SHA1_DIGEST_LEN + SSL_MD5_DIGEST_LEN 2: call _sslRawVerify jmp label_86C9A 1: jmp label_86C9C