Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

10.9.2 Fixes Critical SSL Security Bug, Adds FaceTime Audio

Apple has released OS X Mavericks 10.9.2 Update, which finally brings to the Mac FaceTime audio, introduced in iOS 7 back in September 2013, and fixes a nasty security vulnerability in SSL/TLS (see “Apple Updates iOS and Apple TV to Fix Critical SSL Security Bug,” 24 February 2014). If you’re using Mavericks, we strongly encourage you to install the free update, either via Software Update (460 MB) or from Apple’s Support Downloads site (733 MB). If you skipped the 10.9.1 update, you can also grab a combo update (859.7 MB) to upgrade directly from 10.9 to 10.9.2.

The SSL/TLS bug was caused by a faulty “goto” line, which prevented iOS 6 and 7 and OS X 10.9.1 Mavericks from checking signatures in TLS Server Key Exchange messages, which could have allowed attackers to use man-in-the-middle attacks to spoof SSL-protected sites. According to Apple’s security notes, the vulnerability does not affect 10.8 Mountain Lion and earlier versions of Mac OS X. Although the SSL/TLS bug was particularly important to address, 10.9.2 also patches numerous vulnerabilities in app sandboxing, ACLs in the Finder, font handling, image display, Nvidia drivers, Quick Look, QuickTime, and the system clock, along with the Apache Web server, curl data transfer tool, and PHP scripting language.

To place FaceTime Audio calls to fellow 10.9.2 users or users of iOS 7, open the FaceTime app, and then either click the phone handset icon next to a contact’s name or click a contact’s name and click FaceTime Audio. You now also have the option to activate call waiting for both FaceTime audio and video calls.

In another welcome addition, Messages in 10.9.2 now lets you block iMessages from specific senders. To do so, choose Messages > Preferences, select the Accounts tab, and then click Blocked in the right pane. Once there, you see a list of blocked senders, which you can edit with the plus and minus buttons.


Happily, 10.9.2 claims a number of improvements to Mail, including more accurate unread counts, a fix for a bug that prevented Mail from receiving new messages from certain email providers, better compatibility with Gmail Archive mailboxes, improvements to Gmail labels, and “general improvements to the stability and compatibility of Mail.” Joe Kissell has more to say about this in “Mail Improvements in OS X 10.9.2” (25 February 2014).

Also included in 10.9.2 is Safari 7.0.2, which improves AutoFill compatibility and browsing when using an authenticated Web proxy, and fixes a WebKit vulnerability that could lead to arbitrary code execution.

Although the security fixes, FaceTime Audio additions, and iMessage sender blocking are the main reasons to move from previous versions of Mavericks to 10.9.2 — which we highly recommend! — the update also:

  • Fixes an issue that may cause audio distortion on certain Macs
  • Improves reliability when connecting to a file server using SMB2
  • Fixes an issue that may cause VPN connections to disconnect
  • Improves VoiceOver navigation in Mail and Finder
  • Improves VoiceOver reliability when navigating Web sites
  • Improves Software Update installation when using an authenticated Web proxy
  • Fixes an issue that could cause the Mac App Store to offer updates for apps that are already up to date
  • Improves the reliability of diskless NetBoot service in OS X Server
  • Fixes braille driver support for specific HandyTech displays
  • Resolves an issue when using Safe Boot with some systems
  • Improves ExpressCard compatibility for some MacBook Pro 2010 models
  • Resolves an issue which prevented printing to printers shared by Windows XP
  • Resolves an issue with Keychain that could cause repeated prompts to unlock the Local Items keychain
  • Fixes an issue that could prevent certain preference panes from opening in System Preferences
  • Fixes an issue that may prevent migration from completing while in Setup Assistant
  • Provides a fix for SSL connection verification


Make friends and influence people by sponsoring TidBITS!
Put your company and products in front of tens of thousands of
savvy, committed Apple users who actually buy stuff.
More information: <>

Comments about 10.9.2 Fixes Critical SSL Security Bug, Adds FaceTime Audio
(Comments are closed.)

Tommy Friedmann  2014-02-26 11:14
How do you invoke audio Facetime on iOs 7 other than going to the home screen?
Steven Fisher  2014-02-26 12:49
You can do it from the Phone app; there’s a row for FaceTime. Tap the phone icon beside it to start a FaceTime Audio call.

Bunch of other ways too, I’m sure.
Tommy Friedmann  2014-02-26 12:54
Thanks, hadn't seen it
Josh Centers  An apple icon for a TidBITS Staffer 2014-02-26 13:02
You can also use Siri. Say "FaceTime Josh Centers" or "FaceTime Audio Josh Centers."
tzabar  An apple icon for a TidBITS Supporter 2014-02-28 04:07
10.9 and Safari are updated. What's the alternative to Adobe Flash Player v. I prefer Safari over the other choices.
Adobe Flash Player 13 beta, 2/25/14
Paul Corr  2014-03-03 18:24
I thought it was entertaining that the description of 10.9.2 in the Mac App Store window did not have the SSL bug listed, I had to go to the KB article and it showed it as dead last. I wouldn't have guessed it was an afterthought... "Oh yeah, this too." (Not that anyone noticed the vulnerability and were looking for the fix.)
How do you turn off FaceTime entirely on a Mac?

I didn't find anything in the Sys Prefs for iCloud or Internet Accounts. I opened FaceTime and it claimed it was off. Nevertheless, on my iPhone I just got a notification that my Mac would be accepting FaceTime calls to my iCloud address. What the heck???

These things have started to happen way more often post-10.6. Strange behavior you can't really explain or troubleshoot. You just learn to put up with it. The kind of thing I used to consider typical of MS software and Windows.
Curtis Wilcox  An apple icon for a Friend of TidBITS 2014-03-04 04:19
Rather than setting FaceTime to "off" which is meant to be temporary, you probably need to sign out your Apple ID within FaceTime. Open FaceTime, click your Apple ID, then click Sign Out.
That's the kicker - according to FaceTime I'm not even signed in!