Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/5/2009
12:48 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Serious SSL Vulnerability Found

A vulnerability in the most common data security protocol on the Internet could allow secure Web sessions to be hijacked.

Two security researchers with PhoneFactor, a provider of phone-based two-factor authentication, on Thursday said that they had discovered a serious flaw in the SSL protocol, which is used to protect sensitive data in online transactions.

SSL, short for Secure Sockets Layer, is used for online banking and for secure e-mail and database access, among other things.

Discovered in August and disclosed by PhoneFactor researchers Marsh Ray and Steve Dispensa to a consortium of major tech industry companies and standards groups in September, the vulnerability was slated for disclosure next year, to give affected vendors time to patch their software.

But an independent security researcher discovered the vulnerability on his own and posted it to an Internet Engineering Task Force mailing list on November 4th.

The vulnerability could allow an attack to conduct a man-in-the-middle attack, whereby he or she could hijack an authenticated SSL session and execute commands. In theory, neither the Web server nor Web browser would provide any indication that the session had been subverted.

"Because this is a protocol vulnerability, and not merely an implementation flaw, the impacts are far-reaching," said Steve Dispensa, CTO of PhoneFactor, in a statement. "All SSL libraries will need to be patched, and most client and server applications will, at a minimum, need to include new copies of SSL libraries in their products. Most users will eventually need to update any software that uses SSL."

Other SSL vulnerabilities have been identified recently. Over the summer, at the Black Hat security conference in Las Vegas, Mike Zusman, principal consultant at Intrepidus Group, and Alex Sotirov, an independent security researcher, disclosed a Web browser design flaw that allowed an attacker to conduct a a man-in-the-middle attack against Web sites with Extended Validation (EV) Secure Sockets Layer (SSL) certificates.

Another security researcher, Moxie Marlinspike, demonstrated a separate SSL flaw at the Black Hat conference in Washington, D.C., in February.

InformationWeek and Dr. Dobb's have published an in-depth report on how Web application development is moving to online platforms. Download the report here (registration required).

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15505
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1, and Sentry before 9.7.3 and 9.8.x before 9.8.1, allow remote attackers to execute arbitrary code via unspecified vectors.
CVE-2020-15506
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1 allow remote attackers to bypass authentication mechanisms via unspecified vectors.
CVE-2020-15507
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1 allow remote attackers to read files on the system via unspecified vectors.
CVE-2020-15096
PUBLISHED: 2020-07-07
In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affecte...
CVE-2020-4075
PUBLISHED: 2020-07-07
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling `event.preventDefault()` on all new-window events where the `url` or `options` is not ...