Tuesday, February 25, 2014

Apple's SSL Certificate Verification Bypass Flaw,
Part II

--
…And… The Fix Is Out!

Apple has provided four security updates today, one of which is OS X 10.9.2 update. I'll skip Security Update 2014-001, Safari 6.1.2 update and Safari 7.0.3 update for the moment as they are not directly applicable to the SSL security flaw.

What have we here, among the several security updates in 10.9.2?
Data Security

Available for:  OS X Mavericks 10.9 and 10.9.1

Impact:  An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS

Description:  Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.

CVE-ID
CVE-2014-1266
√ That's the fix for the SSL flaw, aka CVE-2014-1266.

I'm glad that's over!

Update ASAP please! I'm off to do it myself right now.

I'll chatter about the other security updates, as well as the other security fixes in 10.9.2, a bit later.


--

No comments:

Post a Comment