'[ISN] Apple releases OS X 10.9.2 update, patches severe SSL bug'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] Apple releases OS X 10.9.2 update, patches severe SSL bug
From:       InfoSec News <alerts () infosecnews ! org>
Date:       2014-02-26 8:02:57
Message-ID: alpine.DEB.2.02.1402260802460.4068 () infosecnews ! org
[Download RAW message or body]

http://www.zdnet.com/apple-releases-os-x-10-9-2-update-patches-severe-ssl-bug-7000026765/

By Adrian Kingsley-Hughes
ZDNet News
Security
February 25, 2014

Apple has released OS X 10.9.2 update for all Maverick users, which, 
amongst other things patches the SSL bug in the operating system that 
could allow full transparent interception of HTTPS traffic.

This vulnerability not only affected Safari, but also other installed 
applications relying on an encrypted channel to the internet. However, 
third-party browsers such as Chrome and Firefox rely on different 
implementations of SSL/TLS, which means that they aren't subject to the 
vulnerability.

The bug, which has apparently gone unpatched since iOS 6's release in 
2012, resides in a piece of open source code used by Apple.

Aldo Cortesi, CEO and founder of security consultancy firm Nullcube, 
claimed to have intercepted iCloud data, including KeyChain enrolment and 
updates, data from Calendar application, and traffic from apps that use 
certificate pining, such as Twitter.

[...]



--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic