FORTUNE — Ashkan Soltani, an independent computer security expert best known for analyzing Edward Snowden’s NSA leaks for the Washington Post, has published a list of applications running Mac OS X 10.9 that he says are vulnerable to the same security hole Apple (AAPL) patched in its mobile operating system on Friday.

They include apps used by millions of Mac users every day: Mail, Safari and Calendar.

The bug, a single wayward “goto fail” command in Apple’s SecureTansport protocol, is a newer problem for the Mac than for the iPhone. It’s been lurking in the shadows of iOS since September 2012. According to ImperialViolet‘s Adam Langley, who isolated the bug on Saturday, it showed up in the Mac with the release of OS X Mavericks three months ago.

“We are aware of this issue,” an Apple spokeswoman told Fortune, “and already have a software fix that will be released very soon.”

Meanwhile, some experts were surprised that Apple would reveal the existence of the problem in iOS while OS X was still open to attack.

“Come the hell on, Apple,” wrote Kristin Paget, a self-identified “princess hacker” who left Apple last month to shore up security at Tesla Motors (TSLA). “You just dropped an ugly 0day on us and then went home for the weekend – goto fail indeed.” [0day = zero-day computer attack].

Paget is famous both for a 2010 stunt in which she intercepted AT&T (T) phone calls at a hacker conference using a fake cell tower built with $1,500 worth of spare parts, and for changing her name (and sexual self-identfication) in 2011 from Chris to Kristin. As it happens, she joined Apple in Sept. 2012, when the bug appeared in iOS 6.0, and left in January 2014, a few weeks before it was patched.

See also: Apple’s security bug: Five NSA conspiracy theories