Vulnerabilities / Threats
2/25/2014
02:58 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Apple SSL Vulnerability: 6 Facts

SSL vulnerability that's been patched in iOS -- but not yet for OS X -- lets attackers intercept email and FaceTime communications, plus push malicious software updates

The SSL vulnerability that affects iOS devices, as well as desktops and laptops that run the Apple OS X operating system, is easy to exploit and likely already being actively targeted by attackers.

So said New Zealand security researcher Aldo Cortesi, who reported Tuesday that he successfully adapted a free man-in-the-middle proxy tool called mitmproxy -- which is designed to intercept, modify, and replay HTTP and HTTP traffic -- to exploit the SSL flaw.

"I've confirmed full transparent interception of HTTPS traffic on both iOS (prior to 7.0.6) and OS X Mavericks. Nearly all encrypted traffic, including usernames, passwords, and even Apple app updates can be captured," according to a blog post from Cortesi, who promised to not release his SSL-attack tweaks for mitmproxy until after Apple releases an OS X patch.

Read the full article here.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

 

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1421
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php.

CVE-2013-2105
Published: 2014-04-22
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

CVE-2013-2187
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.

CVE-2013-4116
Published: 2014-04-22
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

CVE-2013-4472
Published: 2014-04-22
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Best of the Web