Mythnick

Q: Apple SSL Bug!?

What about this ???

Source: US-CERT/NIST

This vulnerability is currently undergoing analysis and not all information is available.

Please check back soon to view the completed vulnerability summary.

Overview

The SSLVerifySignedServerKeyExchange function in libsecurity_ssl/lib/sslKeyExchange.c in the Secure Transport feature in the Data Security component in Apple iOS 6.x before 6.1.6 and 7.x before 7.0.6, Apple TV 6.x before 6.0.2, and Apple OS X 10.9.x before 10.9.2 does not check the signature in a TLS Server Key Exchange message, which allows man-in-the-middle attackers to spoof SSL servers by (1) using an arbitrary private key for the signing step or (2) omitting the signing step.

 

And the site to test it

Source: http://gotofail.com ?

 

 

 

OS X Mavericks (10.9.1)

Posted on Feb 24, 2014 5:12 AM

Close

Q: Apple SSL Bug!?

  • All replies
  • Helpful answers

Page 1 Next
  • by John Galt,

    John Galt John Galt Feb 24, 2014 6:02 AM in response to Mythnick
    Level 8 (49,522 points)
    Mac OS X
    Feb 24, 2014 6:02 AM in response to Mythnick

    It's not clear what your question is. What else would you like to know?

  • by Mythnick,

    Mythnick Mythnick Feb 24, 2014 6:02 AM in response to Mythnick
    Level 1 (0 points)
    Feb 24, 2014 6:02 AM in response to Mythnick

    Safari, Mail and more hit by SSL snooping bug on Mac OS X 10.9, fix 'soon'

    iMessage, Facetime, Twitter and others blown apart by Apple's cert check ****-up

     

    http://www.theregister.co.uk/2014/02/23/apple_mac_os_x_10_9_ssl_fix/

  • by Mythnick,

    Mythnick Mythnick Feb 24, 2014 6:05 AM in response to John Galt
    Level 1 (0 points)
    Feb 24, 2014 6:05 AM in response to John Galt

    @John Apple release a patch for iOS but apparently the bug exist also in OS X, but no official info from apple...

     

    Then i want to be sure that is not an HOAX?

     

    But apparently the number of informations regarding this matter grow on google search results...

  • by Ralph Landry1,Helpful

    Ralph Landry1 Feb 24, 2014 6:13 AM in response to Mythnick
    Level 8 (41,782 points)
    Feb 24, 2014 6:13 AM in response to Mythnick

    The flaw is in the use of a browser on an unsecure wireless network which will permit a man-in-the-middle to read the wireless traffic.  It DOES NOT permit a person to enter or compromise your computer or device.  It does not affect wired network connections.  If you are not using an unsecure public WiFi you should not be vulnerable.

  • by John Galt,Helpful

    John Galt John Galt Feb 24, 2014 6:23 AM in response to Mythnick
    Level 8 (49,522 points)
    Mac OS X
    Feb 24, 2014 6:23 AM in response to Mythnick

    It's not a hoax, but there is a lot of typical hyperventilating media wind being blown about it. Apple discovered a flaw in the way encrypted SSL communications are implemented if they were to take place over an unencrypted wireless network, such as can be found in coffee shops etc. Conceivably, a determined hacker could exploit that flaw to eavesdrop on email conversations that take place over such an unencrypted wireless network. It's worth noting that there is no evidence or knowledge of it having actually been accomplished by anyone for any specific nefarious purpose. It's also worth noting that there are many more, far simpler means of eavesdropping on private conversations including placing listening devices in your home or office, or simply looking over your shoulder while you're texting someone.

     

    As a rule it's not a good idea to send or receive sensitive information while connected to a public, unencrypted Wi-Fi network. This will always remain true whether or not Apple decides to release an OS X update to address the flaw.

     

    Nothing about this flaw is capable of altering your iPhone or Mac and is not something that can be used to take control of your Mac or access the information on it.


  • by Linc Davis,

    Linc Davis Linc Davis Feb 24, 2014 2:54 PM in response to Mythnick
    Level 10 (208,000 points)
    Applications
    Feb 24, 2014 2:54 PM in response to Mythnick

    If it bothers you, use Firefox while on a public hotspot until a system update is released, probably in the next few days.

  • by MadMacs0,

    MadMacs0 MadMacs0 Feb 24, 2014 11:30 PM in response to Ralph Landry1
    Level 5 (4,791 points)
    Feb 24, 2014 11:30 PM in response to Ralph Landry1

    Ralph Landry1 wrote:

     

    It does not affect wired network connections.

    Yes it does. Obviousy it's more difficult to clandestinly plug into a router as opposed to joining by Wi-Fi, but once you are on the local network the Man-In-The-Middle attacks are identical.

  • by Ralph Landry1,

    Ralph Landry1 Feb 25, 2014 5:42 AM in response to Linc Davis
    Level 8 (41,782 points)
    Feb 25, 2014 5:42 AM in response to Linc Davis

    Safari 7.0.1 and Firefox 26 are affected by this flaw.

  • by MadMacs0,

    MadMacs0 MadMacs0 Feb 25, 2014 11:55 AM in response to Mythnick
    Level 5 (4,791 points)
    Feb 25, 2014 11:55 AM in response to Mythnick

    APPLE-SA-2014-02-25-1 OS X Mavericks 10.9.2 and Security Update

    2014-001


    OS X Mavericks 10.9.2 and Security Update 2014-001 is now available

    and addresses the following:


    Apache

    Available for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,

    OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1

    Impact:  Multiple vulnerabilities in Apache

    Description:  Multiple vulnerabilities existed in Apache, the most

    serious of which may lead to cross-site scripting. These issues were

    addressed by updating Apache to version 2.2.26.

    CVE-ID

    CVE-2013-1862

    CVE-2013-1896


    App Sandbox

    Available for:  OS X Mountain Lion v10.8.5

    Impact:  The App Sandbox may be bypassed

    Description:  The LaunchServices interface for launching an

    application allowed sandboxed apps to specify the list of arguments

    passed to the new process. A compromised sandboxed application could

    abuse this to bypass the sandbox. This issue was addressed by

    preventing sandboxed applications from specifying arguments. This

    issue does not affect systems running OS X Mavericks 10.9 or later.

    CVE-ID

    CVE-2013-5179 : Friedrich Graeter of The Soulmen GbR


    ATS

    Available for:  OS X Mountain Lion v10.8.5,

    OS X Mavericks 10.9 and 10.9.1

    Impact:  Viewing or downloading a document containing a maliciously

    crafted embedded font may lead to arbitrary code execution

    Description:  A memory corruption issue existed in the handling of

    handling of Type 1 fonts. This issue was addressed through improved

    bounds checking.

    CVE-ID

    CVE-2014-1254 : Felix Groebert of the Google Security Team


    ATS

    Available for:  OS X Mavericks 10.9 and 10.9.1

    Impact:  The App Sandbox may be bypassed

    Description:  A memory corruption issue existed in the handling of

    Mach messages passed to ATS. This issue was addressed through

    improved bounds checking.

    CVE-ID

    CVE-2014-1262 : Meder Kydyraliev of the Google Security Team


    ATS

    Available for:  OS X Mavericks 10.9 and 10.9.1

    Impact:  The App Sandbox may be bypassed

    Description:  An arbitrary free issue existed in the handling of Mach

    messages passed to ATS. This issue was addressed through additional

    validation of Mach messages.

    CVE-ID

    CVE-2014-1255 : Meder Kydyraliev of the Google Security Team


    ATS

    Available for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,

    OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1

    Impact:  The App Sandbox may be bypassed

    Description:  A buffer overflow issue existed in the handling of Mach

    messages passed to ATS. This issue was addressed by additional bounds

    checking.

    CVE-ID

    CVE-2014-1256 : Meder Kydyraliev of the Google Security Team


    Certificate Trust Policy

    Available for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,

    OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1

    Impact:  Root certificates have been updated

    Description:  The set of system root certificates has been updated.

    The complete list of recognized system roots may be viewed via the

    Keychain Access application.


    CFNetwork Cookies

    Available for:  OS X Mountain Lion v10.8.5

    Impact:  Session cookies may persist even after resetting Safari

    Description:  Resetting Safari did not always delete session cookies

    until Safari was closed. This issue was addressed through improved

    handling of session cookies. This issue does not affect systems

    running OS X Mavericks 10.9 or later.

    CVE-ID

    CVE-2014-1257 : Rob Ansaldo of Amherst College, Graham Bennett


    CoreAnimation

    Available for:  OS X Mountain Lion v10.8.5,

    OS X Mavericks 10.9 and 10.9.1

    Impact:  Visiting a maliciously crafted site may lead to an

    unexpected application termination or arbitrary code execution

    Description:  A heap buffer overflow existed in CoreAnimation's

    handling of images. This issue was addressed through improved bounds

    checking.

    CVE-ID

    CVE-2014-1258 : Karl Smith of NCC Group


    CoreText

    Available for:  OS X Mavericks 10.9 and 10.9.1

    Impact:  Applications that use CoreText may be vulnerable to an

    unexpected application termination or arbitrary code execution

    Description:  A signedness issue existed in CoreText in the handling

    of Unicode fonts. This issue is addressed through improved bounds

    checking.

    CVE-ID

    CVE-2014-1261 : Lucas Apa and Carlos Mario Penagos of IOActive Labs


    curl

    Available for:  OS X Mavericks 10.9 and 10.9.1

    Impact:  An attacker with a privileged network position may intercept

    user credentials or other sensitive information

    Description:  When using curl to connect to an HTTPS URL containing

    an IP address, the IP address was not validated against the

    certificate. This issue does not affect systems prior to OS X

    Mavericks v10.9.

    CVE-ID

    CVE-2014-1263 : Roland Moriz of Moriz GmbH


    Data Security

    Available for:  OS X Mavericks 10.9 and 10.9.1

    Impact:  An attacker with a privileged network position may capture

    or modify data in sessions protected by SSL/TLS

    Description:  Secure Transport failed to validate the authenticity of

    the connection. This issue was addressed by restoring missing

    validation steps.

    CVE-ID

    CVE-2014-1266


    Date and Time

    Available for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,

    OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1

    Impact:  An unprivileged user may change the system clock

    Description:  This update changes the behavior of the systemsetup

    command to require administrator privileges to change the system

    clock.

    CVE-ID

    CVE-2014-1265


    File Bookmark

    Available for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,

    OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1

    Impact:  Viewing a file with a maliciously crafted name may lead to

    an unexpected application termination or arbitrary code execution

    Description:  A buffer overflow existed in the handling of file

    names. This issue was addressed through improved bounds checking.

    CVE-ID

    CVE-2014-1259


    Finder

    Available for:  OS X Mavericks 10.9 and 10.9.1

    Impact:  Accessing a file's ACL via Finder may lead to other users

    gaining unauthorized access to files

    Description:  Accessing a file's ACL via Finder may corrupt the ACLs

    on the file. This issue was addressed through improved handling of

    ACLs.

    CVE-ID

    CVE-2014-1264


    ImageIO

    Available for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,

    OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1

    Impact:  Viewing a maliciously crafted JPEG file may lead to the

    disclosure of memory contents

    Description:  An uninitialized memory access issue existed in

    libjpeg's handling of JPEG markers, resulting in the disclosure of

    memory contents. This issue was addressed by better JPEG handling.

    CVE-ID

    CVE-2013-6629 : Michal Zalewski


    IOSerialFamily

    Available for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,

    OS X Mountain Lion v10.8.5

    Impact:  Executing a malicious application may result in arbitrary

    code execution within the kernel

    Description:  An out of bounds array access existed in the

    IOSerialFamily driver. This issue was addressed through additional

    bounds checking. This issue does not affect systems running OS X

    Mavericks v10.9 or later.

    CVE-ID

    CVE-2013-5139 : @dent1zt


    LaunchServices

    Available for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,

    OS X Mountain Lion v10.8.5

    Impact:  A file could show the wrong extension

    Description:  An issue existed in the handling of certain unicode

    characters that could allow filenames to show incorrect extensions.

    The issue was addressed by filtering unsafe unicode characters from

    display in filenames. This issue does not affect systems running OS X

    Mavericks v10.9 or later.

    CVE-ID

    CVE-2013-5178 : Jesse Ruderman of Mozilla Corporation, Stephane Sudre

    of Intego


    NVIDIA Drivers

    Available for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,

    OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1

    Impact:  Executing a malicious application could result in arbitrary

    code execution within the graphics card

    Description:  An issue existed that allowed writes to some trusted

    memory on the graphics card. This issue was addressed by removing the

    ability of the host to write to that memory.

    CVE-ID

    CVE-2013-5986 : Marcin Koƛcielnicki from the X.Org Foundation

    Nouveau project

    CVE-2013-5987 : Marcin Koƛcielnicki from the X.Org Foundation

    Nouveau project


    PHP

    Available for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,

    OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1

    Impact:  Multiple vulnerabilities in PHP

    Description:  Multiple vulnerabilities existed in PHP, the most

    serious of which may have led to arbitrary code execution. These

    issues were addressed by updating PHP to version 5.4.22 on OS X

    Mavericks v10.9, and 5.3.28 on OS X Lion and Mountain Lion.

    CVE-ID

    CVE-2013-4073

    CVE-2013-4113

    CVE-2013-4248

    CVE-2013-6420


    QuickLook

    Available for:  OS X Mountain Lion v10.8.5

    Impact:  Downloading a maliciously crafted Microsoft Office file may

    lead to an unexpected application termination or arbitrary code

    execution

    Description:  A memory corruption issue existed in QuickLook's

    handling of Microsoft Office files. Downloading a maliciously crafted

    Microsoft Office file may have led to an unexpected application

    termination or arbitrary code execution. This issue does not affect

    systems running OS X Mavericks 10.9 or later.

    CVE-ID

    CVE-2014-1260 : Felix Groebert of the Google Security Team


    QuickLook

    Available for:  OS X Mountain Lion v10.8.5,

    OS X Mavericks 10.9 and 10.9.1

    Impact:  Downloading a maliciously crafted Microsoft Word document

    may lead to an unexpected application termination or arbitrary code

    execution

    Description:  A double free issue existed in QuickLook's handling of

    Microsoft Word documents. This issue was addressed through improved

    memory management.

    CVE-ID

    CVE-2014-1252 : Felix Groebert of the Google Security Team


    QuickTime

    Available for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,

    OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1

    Impact:  Playing a maliciously crafted movie file may lead to an

    unexpected application termination or arbitrary code execution

    Description:  A buffer overflow existed in the handling of 'ftab'

    atoms. This issue was addressed through improved bounds checking.

    CVE-ID

    CVE-2014-1246 : An anonymous researcher working with HP's Zero Day

    Initiative


    QuickTime

    Available for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,

    OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1

    Impact:  Playing a maliciously crafted movie file may lead to an

    unexpected application termination or arbitrary code execution

    Description:  A memory corruption issue existed in the handling of

    'dref' atoms. This issue was addressed through improved bounds

    checking.

    CVE-ID

    CVE-2014-1247 : Tom Gallagher & Paul Bates working with HP's Zero Day

    Initiative


    QuickTime

    Available for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,

    OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1

    Impact:  Playing a maliciously crafted movie file may lead to an

    unexpected application termination or arbitrary code execution

    Description:  A buffer overflow existed in the handling of 'ldat'

    atoms. This issue was addressed through improved bounds checking.

    CVE-ID

    CVE-2014-1248 : Jason Kratzer working with iDefense VCP


    QuickTime

    Available for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,

    OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1

    Impact:  Viewing a maliciously crafted PSD image may lead to an

    unexpected application termination or arbitrary code execution

    Description:  A buffer overflow existed in the handling of PSD

    images. This issue was addressed through improved bounds checking.

    CVE-ID

    CVE-2014-1249 : dragonltx of Tencent Security Team


    QuickTime

    Available for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,

    OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1

    Impact:  Playing a maliciously crafted movie file may lead to an

    unexpected application termination or arbitrary code execution

    Description:  An out of bounds byte swapping issue existed in the

    handling of 'ttfo' elements. This issue was addressed through

    improved bounds checking.

    CVE-ID

    CVE-2014-1250 : Jason Kratzer working with iDefense VCP


    QuickTime

    Available for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,

    OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1

    Impact:  Playing a maliciously crafted movie file may lead to an

    unexpected application termination or arbitrary code execution

    Description:  A signedness issue existed in the handling of 'stsz'

    atoms. This issue was addressed through improved bounds checking.

    CVE-ID

    CVE-2014-1245 : Tom Gallagher & Paul Bates working with HP's Zero Day

    Initiative


    Secure Transport

    Available for:  OS X Mountain Lion v10.8.5

    Impact:  An attacker may be able to decrypt data protected by SSL

    Description:  There were known attacks on the confidentiality of SSL

    3.0 and TLS 1.0 when a cipher suite used a block cipher in CBC mode.

    To address these issues for applications using Secure Transport, the

    1-byte fragment mitigation was enabled by default for this

    configuration.

    CVE-ID

    CVE-2011-3389 : Juliano Rizzo and Thai Duong


    OS X Mavericks v10.9.2 includes the content of Safari 7.0.2.


    OS X Mavericks v10.9.2 and Security Update 2014-001 may be obtained from

    the Mac App Store or Apple's Software Downloads web site:

    http://www.apple.com/support/downloads/


    Information will also be posted to the Apple Security Updates

    web site: http://support.apple.com/kb/HT1222

  • by Ralph Landry1,Solvedanswer

    Ralph Landry1 Feb 25, 2014 12:02 PM in response to Mythnick
    Level 8 (41,782 points)
    Feb 25, 2014 12:02 PM in response to Mythnick

    The Mavericks update is at: http://support.apple.com/kb/DL1726

  • by netsoup,

    netsoup netsoup Mar 5, 2014 5:49 AM in response to MadMacs0
    Level 1 (0 points)
    Mar 5, 2014 5:49 AM in response to MadMacs0

    @MadMac0

    Re:

    "Feb 24, 2014 11:30 PM (in response to Ralph Landry1)

     

    Ralph Landry1 wrote:

     

    It does not affect wired network connections.

    Yes it does. Obviousy it's more difficult to clandestinly plug into a router as opposed to joining by Wi-Fi, but once you are on the local network the Man-In-The-Middle attacks are identical."


    That is false.  You are basing that on an incorrect understanding of the actual bug.  The bug only affected wireless connections using Safari, and only then, if you were on a completely unencrypted wifi that had no security or password...   This isn't a simple man in the middle open bug, it was in the way SSL was negotiated only when using completely unencrypted wifi...  It's likely nobody ever noticed this until Apple announced the flaw and fixed it because most people with any security conscienceness have at least some encryption on their wifi or are a little leary about trusting completely unencrypted, open wifi connections to begin with.

  • by MadMacs0,

    MadMacs0 MadMacs0 Mar 5, 2014 10:02 PM in response to netsoup
    Level 5 (4,791 points)
    Mar 5, 2014 10:02 PM in response to netsoup

    I don't know why you are choosing to reply to this now since it's all been taken care of, so I figured I'd let it go, but your statements are so far off base that I felt I needed to respond.

     

    I spent the better part of three days gaining an understanding of exactly what this flaw was by researching what virtually all the security and coding experts had to say about it and then checking it all out for myself to the extent I was able, before posting one word here. Everything I've written is thoroughly documented and was vetted with some of the sources and a group of computer security colleagues that I collaborate with every day. We were even able to obtain a bit of confirmation from Apple product-security, but as you might expect they were unable to discuss most of the details.

     

    Safari was not the only browser that was impacted by the flaw. My colleagues and I checked several browsers that we had handy and every one of them that use the WebKit framework was found to be vulnerable, using both the test sites that had been setup. This includes OmniWeb, Maxthon and some lesser known browsers. There are also several other applications that also use WebKit including Apple Mail, Entourage 2008, Instant Messenger, Fire, iChat, MSN Messenger, Yahoo Messenger, NetNewWire, iWeb, Sandvox, BBEdit, and the list goes on. Although no tests were setup to prove vulnerability, I think it's reasonable to suspect that any of those apps that use SSL were subject to spoofing attack.

     

    Not only that, but I also tested these same browsers both over my local WPA-2 encrypted W-Fi network and when attached via Ethernet to my router. All tests showed those browsers to be vulnerable.

     

    But the flaw wasn't in Safari or WebKit. The only security update involving Safari was for a very different WebKit issue:

     

    Safari 6.1.2 and Safari 7.0.2 is now available and addresses the

    following:


    WebKit

    Available for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,

    OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.1

    Impact:  Visiting a maliciously crafted website may lead to an

    unexpected application termination or arbitrary code execution

    Description:  Multiple memory corruption issues existed in WebKit.

    These issues were addressed through improved memory handling.

    CVE-ID

    CVE-2013-6635 : cloudfuzzer

    CVE-2014-1268 : Apple

    CVE-2014-1269 : Apple

    CVE-2014-1270 : Apple

     

    The flaw was in the coding of the SecureTransport section of /System/Library/Frameworks/Security.framework/Version/A/Security. It's the section of the code that handles SSL certification. That section does not handle Wi-Fi encryption in any way.  There was speculation just before 10.9.2 was released that SSL might be involved between Airport Utility and Airport Base Stations, but there wasn't time to check that out.

     

    Finally, let's take a look at what Apple had to say about the fix:

     

    Data Security

    Available for:  OS X Mavericks 10.9 and 10.9.1

    Impact:  An attacker with a privileged network position may capture

    or modify data in sessions protected by SSL/TLS

    Description:  Secure Transport failed to validate the authenticity of

    the connection. This issue was addressed by restoring missing

    validation steps.

    CVE-ID

    CVE-2014-1266

     

    "Privileged network position" does not say Wi-Fi only.  It's SSL/TLS not WEP, WPA or any other Wi-Fi encryption protocol.  If an attacker is able to hack your local network then he becomes the Man In the Middle whether open or encrypted.

     

    What would have happened next is anybodies guess.  Harvesting of credentials would undoubtedly be the first order of business. UserID's and passwords for web sites, e-mail accounts, AppleID's, chat accounts.  Any application that used the Secure Transport function to do SSL/TLS certificate validation would be vulnerable to intercept by the MITM with fake certificates. FireFox and Google Chrome are said to use their own SSL/TLS certification process, which is why they were not involved with this flaw.

  • by netsoup,

    netsoup netsoup Mar 5, 2014 10:46 PM in response to MadMacs0
    Level 1 (0 points)
    Mar 5, 2014 10:46 PM in response to MadMacs0

    I will check this out.  So far what you have gleaned contradicts all other basic public disclosures of this bug.  But you bring up browsers nobody uses to say everyting was effected.  They said it was webkit, but in reality webkit is Safari on OSX.  Firefox and Opera and others don't use it, and Webkit is understood by anybody that knows the far reaching browsers you are trying to pull out of it.  Of course they said webkit so if you twist you can say other browsers were affected on OSX, but you are misleading pulling those out and not saying FireFox or Opera weren't affected, which Apple also said.  You checked those two and know different?

    But, before actually going off on a tangent, are you just talking about IOS webkit and just webkit browsers?  Basically, are you saying Firefox on OSX was affected, Opera was affected, or or any other OSX browser actually used by most when we talk "alternatives", other than Safari was affected?  I will check out the mail stuff and other protocols, because I really only heard basically Safari browsing was affected.  Priviledged is a term in the fix, but they also said it pertained to non encrypted wifi in the public warning, and I actually think that was accurate.

     

    Oh my gosh, and reading deeper you are just saying "it is reasonable to suspect" other protocols.  Never mind.  You are way off.  I wasted time learning your twisted thinking.

     

    You are really are only talking about Safari webkit in practice, and saying other stuff *could* use those protocols and pulling obscure "non safari" webkit browsers,  you are misdirecting and pulling randon non-meaning cases that nobody uses to prove a false fact...  Anybody using webkit in some off browser knows that the announcement mentioned webkit.  For the public, saying Firefox and Opera and basically any non-webkit browser was good was accurate.  You see what you want.

  • by netsoup,

    netsoup netsoup Mar 6, 2014 4:32 AM in response to netsoup
    Level 1 (0 points)
    Mar 6, 2014 4:32 AM in response to netsoup

    I really don't see how you could tell browsers were vulnerable on eithernet unless you actually spoofed a certificate and didn't get any warnings, but I guess it doesn't matter.  You could be right and I apologize for going off, and I can't test it now, it just felt like a lot of stretching.

    I got security warnings all the time on wifi for self signed certs until I accepted them, and I switch certificates often enough and test new sites enough to run into them here and there. I just didn't assume you actually performed MIM attacks on yourself to find browsers vulnerable on ethernet or whatever this bug in theory was supposed to allow, so I didn't know what you meant by "found them vulnerable" and assumed you were just assuming.

    I guess I just never saw this vulnerability using wifi or ethernet, but I never really use open wifi so I figured that was why.  Thanks for the info to consider.

Page 1 Next