For what it's worth, I just used homebrew (http://brew.sh/):
brew update
brew install openssl
brew link --force openssl
openssl version -a
If one of the bad versions come up (1.0.1a-f), you can figure out which version of openssl you're using, this way:
which openssl
Often this is from /usr/bin. To make sure you get the updated version, drop a symlink into /usr/local/bin to point to the updated openssl, like this:
ln -s /usr/local/Cellar/openssl/1.0.1g/bin/openssl /usr/local/bin/openssl
As an alternative to that final step, some people replace the openssl in /usr/bin
with a symlink to /usr/local/Cellar/openssl/1.0.1g/bin/openssl
(or whatever your version is):
mv /usr/bin/openssl /usr/bin/openssl_OLD
ln -s /usr/local/Cellar/openssl/1.0.1g/bin/openssl /usr/bin/openssl
But this is known to cause problems with some more recent versions of OSX. Better to just insert a new symlink into /usr/local/bin, which should take precedence on your path over /usr/bin.
I think what Rob is getting at and what I think might be happening is that you have some malware (virus, etc) on your Mac (yes they do exist) that could be adding things to web pages.
It could be as simple as a browser extension or plug-in with some hijacking code in it, or something more system wide.
you could try resetting Safari (from the Safari menu select Reset Safari), turning off extensions (Safari menu -> preferences -> extensions. then turn them all off) or going into private browsing mode (Safari menu -> private Browsing).
Optionally you could try another browser, Chrome or Firefox would be my choices. If they do the same thing then it may be system-wide and time for a virus checker or a visit with your favorite Mac repair shop (Apple store or local reseller) to determine what is going on.
Also some routers and some ISPs inject ads and other stuff into web pages. Try it on a different WiFi (Starbucks, etc...) and see if the issue goes away
Best Answer
It isn't.
If you click on the link you posted in your question, you will see that this update patches a number of vulnerabilities which exist identically in OpenSSL 0.9.8, 1.0.0, 1.0.1, and 1.0.2.
So, in other words, the version you are later suggesting as an alternative, 1.0.2, was just as vulnerable as 0.9.8 was, and both were fixed at the same time.
Apple is updating OpenSSL to 0.9.8zg, which is just 2 months old, and only 4 weeks older than 1.0.2d.
That is something you will have to ask Apple. My best guess is that 0.9.8 is the version they did their compatibility testing with, and upgrading to a newer version would require a completely new round of testing for a component that is deprecated anyway. Since it is deprecated, newer software (which would possibly rely on newer features) shouldn't use it anyway, and older software which still uses it doesn't use the new features (because they didn't exist) and might even be broken by an update, so why bother?
As long as the OpenSSL community still maintains the 0.9.8 branch, Apple doesn't even have to do the work of backporting patches.
Note that this is nothing unusual. Apple shipped an old version of Ruby for a very long time, and they generally don't update during a release cycle, only in between releases. Linux distributions as well BSDs and other Unix distributions also typically don't update versions during a release, they only apply bugfixes and security fixes. Debian, in particular, generally doesn't even fix all bugs, only security vulnerabilities and bugs which might result in loss of user data – any change, even a bugfix is a potential incompatibility and a potential for new bugs; known bugs are better than unknown ones!