Patch iOS, OS X now: PDFs, JPEGs, URLs, web pages can pwn your kit

  • 23 April 2014
  • 2 replies
  • 3 views

Userlevel 7

Plus: iThings and desktops at risk of NEW SSL attack flaw

By Shaun Nichols, 22 Apr 2014  Apple has released updates to its iOS and OS X operating systems that address serious security flaws.
The company said the iOS 7.1.1 upgrade will include, as well as some stability updates, fixes for 19 security flaws.
 One of those vulnerabilities is a "triple handshake" error in iOS SecureTransport – which is part of the OS that provides SSL/TLS encryption for stuff sent across the internet. The flaw, which also affects OS X 10.8.5 and 10.9.2, effectively allows a network snooper to maliciously inject data into a supposedly secure connection.
 
According to Apple, the bug allows an eavesdropper "to establish two [ssl] connections which had the same encryption keys and handshake, insert the attacker's data in one connection, and renegotiate so that the connections may be forwarded to each other".
 
Also fixed were a flaw in IOKit that leaked kernel pointers – handy for jailbreaking tools – and a possible login cookie disclosure flaw in the iOS HTTPProtocol component. According to Apple: "Set-Cookie HTTP headers would be processed even if the connection closed before the header line was complete. An attacker could strip security settings from the cookie by forcing the connection to close before the security settings were sent, and then obtain the value of the unprotected cookie."
 
 
 
Full Article
 
 
No comment...as I am not an Apple fan or user...LOL!

2 replies

Userlevel 7
Badge +62
😃 Hello @ ..I got Maverick update today and Android installed new update for the operating system on the cell this morning which took about 20 mins. Not sure if its related tho.
 
Thanks just the same...
Userlevel 7
Badge +56
Interesting breakdown of the vulnerability and how it works here:
http://blog.cryptographyengineering.com/2014/04/attack-of-week-triple-handshakes-3shake.html

Reply