Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.

Digibase Security Advisory - Apple SSL Vulnerability

Keywords: SSL, Apple, HTTPS, Vulnerability, Data Exposure, Mac OSX, iOS

DBSA ID: 2014-0004

Regarding: Apple SSL Vulnerability

Writeup: Kradorex Xeron (talk) 17:20, 24 February 2014 (EST)

Date: 2014 02 24

Last Modified: 20140224172054 by Kradorex Xeron

Who should take note: All users of Apple devices and platforms

Classification

Priority: HIGH

Rationale: Information may be disclosed without immediate action

Severity: HIGH

Rationale: Trusted encrypted connections may be at risk

Spread of Issue: MULTI-PLATFORM HIGH

Rationale: The issue effects both Mac OSX and iOS

Description

Apple is a manufacturer and publisher of hardware and software platforms including Mac OSX, which is an operating system utilized on desktop and laptop computers; and iOS, which is a platform utilized on mobile phones and tablets. A vulnerability has been located in Apple's SSL cryptography libraries which may result in interception or alteration of data protected in SSL sessions including HTTPS sessions through the Apple web browser safari.

• Mac OSX versions 10.9.1 and under are vulnerable
• iOS versions 7.0.6 and under are vulnerable.

For further technical information, please review CVE-2014-1266

Mitigation/Solution

iOS users are advised to update their devices immediately.

Mac OSX computer users are advised to immediately cease utilizing Safari as a web browser (which utilizes the vulnerable libraries) and to install and/or use Mozilla Firefox or Google Chrome.

References

• https://threatpost.com/apple-ssl-vulnerability-affects-osx-too/104434
• https://www.imperialviolet.org/2014/02/22/applebug.html
• http://support.apple.com/kb/HT6147