Are you sure you are running Snow Leopard (10.6.x)?Īs to the question of whether Snow Leopard is affected by the triple handshake bug, it has been fixed for OS X 10.8.5 and 10.9.2 in the latest security update, but not for 10.7.5, which also got a security update at the same time. Software Update for my 10.6.8 Server is not showing this update. I don't know that these are related, but I would be surprised if they weren't.Īpple's published security notes and manual downloads page only mention the 2014-002 security update being released for Lion (OS X 10.7.5) and later versions. I'm on Snow Leopard and Software Update just notified me of 'Security Update 2014-002' which requires a system restart. ![]() ![]() Peter Bright Technology Editor jump to postĪnyone know if Snow Leopard is affected by this bug?.Post updated to add details about client authentication. Users should install them as soon as possible. The iOS and OS X updates Apple issued Tuesday, which Ars wrote about earlier here, fix a variety of other serious security vulnerabilities, some of which also affect Mac OS X Lion. Apple has reportedly updated its Airport Base Stations to fix that critical flaw as well, according to Macworld. More recently, the Internet was severely threatened by another extremely critical vulnerability in HTTPS software-the so-called Heartbleed bug in the widely used OpenSSL cryptographic library. More information about triple-handshake weaknesses is available here. Still, it's a serious bug because those apps are typically used by businesses and government agencies, where security is especially sensitive. By contrast, the triple handshake bug may be considered less severe because it affects a smaller class of applications. It wasn't fixed in OS X until four days after the bug became widely known, a delay that prompted criticism from security professionals because it potentially gave attackers a window to exploit Mavericks machines. ![]() "To prevent attacks based on this scenario, Secure Transport was changed so that, by default, a renegotiation must present the same server certificate as was presented in the original connection." Advertisementįurther Reading Extremely critical crypto flaw in iOS may also affect fully patched MacsThe patch comes three months after the disclosure of a separate serious HTTPS vulnerability dubbed "goto fail" that similarly threatened iOS and OS X Mavericks users. ![]() "In a 'triple handshake' attack, it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker's data in one connection, and renegotiate so that the connections may be forwarded to each other," Apple's warning explained. Such "man-in-the-middle" attackers could exploit the bug by abusing the "triple handshake" carried out when secure connections are established by applications that use client certificates to authenticate end users. The bug makes it possible to bypass HTTPS encryption protections that are designed to prevent eavesdropping and data tampering by attackers with the capability to monitor traffic sent by and received from vulnerable devices. The flaw resides in the secure transport mechanism of iOS version 7.1 and earlier for iPhones and iPads and the Mountain Lion 10.8.5 and Mavericks 10.9.2 versions of Mac OS X, according to advisories here and here. Readers are urged to install the updates immediately. Apple has patched versions of its iOS and OS X operating systems to fix yet another extremely critical cryptography vulnerability that leaves some users open to surreptitious eavesdropping.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |