[ef4]

So if you're on Mavericks and left hanging, there are some evasive actions you can take.

As others have pointed out, Firefox and Chrome are not vulnerable. But what else may be relying on the system SSL implementation? Your IM client? Various software updaters? Dropbox? Skype? Etc.

Rather than guess, I'm whitelisting only the things I trust. I'm using the pf firewall to block all outbound connections other than DNS and SSH, using SSH to open a SOCKS proxy tunnel, and configuring Firefox to use the proxy (not via the system proxy settings -- via Firefox's own proxy config, so other apps don't know about it and can't get out).

A simpler solution for those who want to buy a commercial product would be to install Little Snitch and start with a completely empty list of approved apps, then turn on only Firefox.

[wlesieutre]

>But what else may be relying on the system SSL implementation? Your IM client? Various software updaters? Dropbox? Skype? Etc.

Mail seems like a huge concern. I use two-factor on my google account, but that's not worth much when SSL doesn't work. For the time being, at least there's webmail + Firefox.

[krrrh]

This article claims that you can grep for the version number using otool and if it's not present the binary uses a different version of the library.

http://www.theregister.co.uk/2014/02/23/apple_mac_os_x_10_9_...

Latest Dropbox (v2.6.5), Adium, and Skype are fine according to this test. Most of Apple's software appears vulnerable however.

I'm not at all sure if this test is definitie however.

[chmars]

Many apps use WebKit and are therefore affected too. It is in particular obvious for special purpose browsers like Mailplane.