Secure Transport in Apple iOS prior to 8.2, Apple OS X up to and including 10.10.2, and Apple TV prior to 7.1 does not properly restrict TLS state transitions, which makes it easier for remote malicious users to conduct cipher-downgrade attacks to EXPORT_RSA ciphers via crafted TLS traffic, related to the "FREAK" issue, a different vulnerability than CVE-2015-0204 and CVE-2015-1637.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apple mac os x |
||
apple tvos |
||
apple iphone os |
Cupertino slings patches to kill twin data execution bugs
Apple has patched a dozen security flaws in Watch, including FREAK and two allowing arbitrary code execution. The updates cover Oracle hacker Marc Schoenefeld's arbitrary code execution which triggers (CVE-2015-1093) when the Apple Watch processes a maliciously crafted font file. It also squashes hacker Loki@ART's bug that grants malicious apps the ability to execute arbitrary code with system privileges via a kernel memory corruption issue (CVE-2015-1101). Apple closes the twin memory corruptio...
Remote-code exec in iOS, OS X iCloud, plus FREAK fix
While everyone was losing their mind over expensive watches, Apple sneaked out security fixes for iOS phones and tablets, and OS X computers. Both the OS X Security Update 2015-002 and iOS 8.2 address critical flaws. Leading the charge is a patch to squish the FREAK bug in the two operating systems' SSL/TLS code. Disclosed last week by researchers, the flaw allows an eavesdropper to intercept connections to HTTPS websites and downgrade the strength of the encryption, allowing miscreants to crack...