The reason I'm in 1.8.5 is because I upgraded to Mavericks, but one of their updates forced me to recover from Time Machine (which wasn't as smooth as I expected)
As others have pointed out, Firefox and Chrome are not vulnerable. But what else may be relying on the system SSL implementation? Your IM client? Various software updaters? Dropbox? Skype? Etc.
Rather than guess, I'm whitelisting only the things I trust. I'm using the pf firewall to block all outbound connections other than DNS and SSH, using SSH to open a SOCKS proxy tunnel, and configuring Firefox to use the proxy (not via the system proxy settings -- via Firefox's own proxy config, so other apps don't know about it and can't get out).
A simpler solution for those who want to buy a commercial product would be to install Little Snitch and start with a completely empty list of approved apps, then turn on only Firefox.
Mail seems like a huge concern. I use two-factor on my google account, but that's not worth much when SSL doesn't work. For the time being, at least there's webmail + Firefox.
Latest Dropbox (v2.6.5), Adium, and Skype are fine according to this test. Most of Apple's software appears vulnerable however.
I'm not at all sure if this test is definitie however.
The unknown factor which makes rlu's comment so ignorant, is that we don't know whether the vulnerability is already known and being exploited.
If so, then not delaying the iOS patch is the correct call.
Thanks for showing us what kind of person you are.
On OSX Firefox and Chrome fail and Safari happily loads it. Yay for not using system crypto libraries.
Also, upon closer inspection, mine actually works differently from agl's.
The updater for Apple's own stuff obviously doesn't have this constraint, but it should involve a different signing key than the one used for third-party apps.
Can anyone else comment on if this is a decent solution?
EDIT: I'm not using Little Snitch or anything other than the builtin OSX firewall.
I've not seen any information about fixing this issue on OSX. Have I just missed it in the noise about the iOS fix?
Chrome/Firefox shouldn't be vulnerable.