04-23-2014 02:25 PM
Apple has released updates to its iOS and OS X operating systems that address serious security flaws.
The company said the iOS 7.1.1 upgrade will include, as well as some stability updates, fixes for 19 security flaws.
One of those vulnerabilities is a "triple handshake" error in iOS SecureTransport – which is part of the OS that provides SSL/TLS encryption for stuff sent across the internet. The flaw, which also affects OS X 10.8.5 and 10.9.2, effectively allows a network snooper to maliciously inject data into a supposedly secure connection.
According to Apple, the bug allows an eavesdropper "to establish two [SSL] connections which had the same encryption keys and handshake, insert the attacker's data in one connection, and renegotiate so that the connections may be forwarded to each other".
Also fixed were a flaw in IOKit that leaked kernel pointers – handy for jailbreaking tools – and a possible login cookie disclosure flaw in the iOS HTTPProtocol component. According to Apple: "Set-Cookie HTTP headers would be processed even if the connection closed before the header line was complete. An attacker could strip security settings from the cookie by forcing the connection to close before the security settings were sent, and then obtain the value of the unprotected cookie."
No comment...as I am not an Apple fan or user...LOL!
Webroot SecureAnywhere Complete Beta Tester v188.8.131.52, imaged by Macrium Reflect v7
04-23-2014 03:18 PM
Hello @Baldrick ..I got Maverick update today and Android installed new update for the operating system on the cell this morning which took about 20 mins. Not sure if its related tho.
Thanks just the same...
Microsoft® Windows Insider MVP - Windows Security
04-25-2014 02:15 PM
Interesting breakdown of the vulnerability and how it works here: