Mythnick
Level 1 (0 points)

Q: Apple SSL Bug!?

What about this ???

Source: US-CERT/NIST

This vulnerability is currently undergoing analysis and not all information is available.

Please check back soon to view the completed vulnerability summary.

Overview

The SSLVerifySignedServerKeyExchange function in libsecurity_ssl/lib/sslKeyExchange.c in the Secure Transport feature in the Data Security component in Apple iOS 6.x before 6.1.6 and 7.x before 7.0.6, Apple TV 6.x before 6.0.2, and Apple OS X 10.9.x before 10.9.2 does not check the signature in a TLS Server Key Exchange message, which allows man-in-the-middle attackers to spoof SSL servers by (1) using an arbitrary private key for the signing step or (2) omitting the signing step.

 

And the site to test it

Source: http://gotofail.com ?

 

 

 

OS X Mavericks (10.9.1)

Posted on Feb 24, 2014 5:12 AM

by Ralph Landry1,Solvedanswer
Ralph Landry1 Ralph Landry1
Level 8 (41,782 points)
A:

The Mavericks update is at: http://support.apple.com/kb/DL1726

Posted on Feb 25, 2014 12:02 PM

Close
Mythnick

Q: Apple SSL Bug!?

  • All replies
  • Helpful answers

Previous Page 2

  • by netsoup,

    netsoup netsoup Mar 6, 2014 7:37 PM in response to MadMacs0
    Level 1 (0 points)
    Mar 6, 2014 7:37 PM in response to MadMacs0

    I do apologize for rehashing.

    Like you said, it's all taken care of.

    I have been dealing with so much misinfo for days I had to go back and understand.

    I've been dealing with people quoting bug name news articles saying anyone on your network could spoof you which isn't how MIM attacks work, but there's no excuse.  Your correction helped me get a grip and see how bad it could have been and thanks.

  • by netsoup,

    netsoup netsoup Mar 6, 2014 8:06 PM in response to netsoup
    Level 1 (0 points)
    Mar 6, 2014 8:06 PM in response to netsoup

    MIM attacks basically mean someone actually controlled your traffic, like at the wifi or ISP level, to be able to intercept and replace packets.  That's way different than somebody being on the same network and there are commercial products out there that do that already, so I didn't understand how this changed that...

Previous Page 2