[MacTUG] Apple Fixes Serious SSL Issue in OSX and iOS | Threatpost | The first stop for security news

[Marlon A. Griffith]

"""
In a ‘triple handshake’ attack, it was possible for an attacker to
establish two connections which had the same encryption keys and
handshake, insert the attacker’s data in one connection, and renegotiate
so that the connections may be forwarded to each other,” the Apple
advisory says.

The vulnerability affects OS X Mountain Lion 10.8.5, OS X Mavericks
10.9.2, as well as iOS 7.1 and earlier. The bug joins a list of serious
problems that have affected SSL in recent months, most notably the
OpenSSL heartbleed vulnerability disclosed earlier this month.

Among the other flaws Apple patched in its new releases are a number
other severe vulnerabilities. For OSX Mavericks users, the two most
concerning issues are a pair of buffer overflows that could lead to
remote code execution. One of the bugs is in the font parser and the
second is in the imageIO component. The upshot of the vulnerabilities is
that opening a malicious PDF or JPEG could lead to arbitrary code execution.

“Set-Cookie HTTP headers would be processed even if the connection
closed before the header line was complete. An attacker could strip
security settings from the cookie by forcing the connection to close
before the security settings were sent, and then obtain the value of the
unprotected cookie,” Apple said in its advisory.

https://threatpost.com/apple-fixes-serious-ssl-issue-in-osx-and-ios/105631
"""