Difference between revisions of "DBSA:2014-0004"
(Created page with "{{DBSAHEAD | TITLE=Apple SSL Vulnerability | KEYWORDS=SSL, Apple, HTTPS, Vulnerability, Data Exposure, Mac OSX, iOS }} '''DBSA ID:''' {{PAGENAME}} '''Regarding:''' Apple SSL...") |
|||
(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
{{DBSAHEAD | {{DBSAHEAD | ||
− | | TITLE=Apple SSL Vulnerability | + | | TITLE=Apple SSL/TLS Vulnerability |
− | | KEYWORDS=SSL, Apple, HTTPS, Vulnerability, Data Exposure, Mac OSX, iOS | + | | KEYWORDS=SSL, TLS, Apple, HTTPS, Vulnerability, Data Exposure, Mac OSX, iOS |
}} | }} | ||
'''DBSA ID:''' {{PAGENAME}} | '''DBSA ID:''' {{PAGENAME}} | ||
− | '''Regarding:''' Apple SSL Vulnerability | + | '''Regarding:''' Apple SSL/TLS Vulnerability |
'''Writeup:''' [[User:Kradorex Xeron|Kradorex Xeron]] ([[User talk:Kradorex Xeron|talk]]) 17:20, 24 February 2014 (EST) | '''Writeup:''' [[User:Kradorex Xeron|Kradorex Xeron]] ([[User talk:Kradorex Xeron|talk]]) 17:20, 24 February 2014 (EST) | ||
Line 28: | Line 28: | ||
'''Spread of Issue:''' MULTI-PLATFORM HIGH | '''Spread of Issue:''' MULTI-PLATFORM HIGH | ||
− | '''Rationale:''' The issue effects both Mac OSX and iOS | + | '''Rationale:''' The issue effects both Mac OSX and iOS to which iOS is utilized on millions of devices. |
==Description== | ==Description== | ||
− | Apple is a manufacturer and publisher of hardware and software platforms including Mac OSX, which is an operating system utilized on desktop and laptop computers; and iOS, which is a platform utilized on mobile phones and tablets. A vulnerability has been located in Apple's SSL cryptography libraries which may result in interception or alteration of data protected in SSL sessions including HTTPS sessions through the Apple web browser safari. | + | Apple is a manufacturer and publisher of hardware and software platforms including Mac OSX, which is an operating system utilized on desktop and laptop computers; and iOS, which is a platform utilized on mobile phones and tablets. A vulnerability has been located in Apple's SSL/TLS (Secure Socket Library/Transport Layer Security) cryptography libraries which may result in interception or alteration of data protected in SSL sessions including HTTPS sessions through the Apple web browser safari. The vulnerability in specific is a certificate verification check that is supposed to check specific parameters of the website's certificate unable to fail. Thus an attacker can leverage this flaw to issue certificates that should by rights be rejected that are accepted by the vulnerable software. |
* Mac OSX versions 10.9.1 and under are vulnerable | * Mac OSX versions 10.9.1 and under are vulnerable |
Latest revision as of 17:55, 24 February 2014
Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.
Contents
Digibase Security Advisory - Apple SSL/TLS Vulnerability
Keywords: SSL, TLS, Apple, HTTPS, Vulnerability, Data Exposure, Mac OSX, iOS
DBSA ID: 2014-0004
Regarding: Apple SSL/TLS Vulnerability
Writeup: Kradorex Xeron (talk) 17:20, 24 February 2014 (EST)
Date: 2014 02 24
Last Modified: 20140224175541 by Kradorex Xeron
Who should take note: All users of Apple devices and platforms
Classification
Priority: HIGH
Rationale: Information may be disclosed without immediate action
Severity: HIGH
Rationale: Trusted encrypted connections may be at risk
Spread of Issue: MULTI-PLATFORM HIGH
Rationale: The issue effects both Mac OSX and iOS to which iOS is utilized on millions of devices.
Description
Apple is a manufacturer and publisher of hardware and software platforms including Mac OSX, which is an operating system utilized on desktop and laptop computers; and iOS, which is a platform utilized on mobile phones and tablets. A vulnerability has been located in Apple's SSL/TLS (Secure Socket Library/Transport Layer Security) cryptography libraries which may result in interception or alteration of data protected in SSL sessions including HTTPS sessions through the Apple web browser safari. The vulnerability in specific is a certificate verification check that is supposed to check specific parameters of the website's certificate unable to fail. Thus an attacker can leverage this flaw to issue certificates that should by rights be rejected that are accepted by the vulnerable software.
- Mac OSX versions 10.9.1 and under are vulnerable
- iOS versions 7.0.6 and under are vulnerable.
For further technical information, please review CVE-2014-1266
Mitigation/Solution
iOS users are advised to update their devices immediately.
Mac OSX computer users are advised to immediately cease utilizing Safari as a web browser (which utilizes the vulnerable libraries) and to install and/or use Mozilla Firefox or Google Chrome.