Secure Transport in Apple iOS prior to 7.1.1, Apple OS X 10.8.x and 10.9.x up to and including 10.9.2, and Apple TV prior to 6.1.1 does not ensure that a server's X.509 certificate is the same during renegotiation as it was before renegotiation, which allows man-in-the-middle malicious users to obtain sensitive information or modify TLS session data via a "triple handshake attack."
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apple iphone os 7.0.4 |
||
apple iphone os |
||
apple iphone os 7.0.5 |
||
apple iphone os 7.0.6 |
||
apple iphone os 7.0.1 |
||
apple iphone os 7.0.2 |
||
apple iphone os 7.0 |
||
apple iphone os 7.0.3 |
||
apple mac os x 10.9.2 |
||
apple mac os x 10.9 |
||
apple mac os x 10.9.1 |
||
apple tvos 6.0 |
||
apple tvos 6.0.1 |
||
apple tvos 6.0.2 |
||
apple tvos |
||
apple mac os x 10.8.3 |
||
apple mac os x 10.8.5 |
||
apple mac os x 10.8.4 |
||
apple mac os x 10.8.1 |
||
apple mac os x 10.8.0 |
||
apple mac os x 10.8.2 |
Triple-handshake flaw stalks Macs and iThings
Apple has squashed a significant security bug in its SSL engine for iOS and OS X as part of a slew of patches for iThings and Macs. The so-called "triple handshake" flaw quietly emerged yesterday amid panic over OpenSSL's Heartbleed vulnerability, and soon after the embarrassing "goto fail" blunder in iOS and OS X. Apple's "triple handshake" bug [CVE-2014-1295, advisory] is unrelated to Heartbleed, and nothing like as serious, according to security experts. For one thing, Heartbleed is a problem...