lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 1 Aug 2016 08:25:25 -0400
From: David Coomber <davidcoomber.infosec@...il.com>
To: fulldisclosure@...lists.org, bugtraq@...urityfocus.com, cert@...t.org,
  vuln@...unia.com
Subject: Kaspersky Safe Browser iOS Application - MITM SSL Certificate
 Vulnerability (CVE-2016-6231)

Kaspersky Safe Browser iOS Application - MITM SSL Certificate
Vulnerability (CVE-2016-6231)
--
http://www.info-sec.ca/advisories/Kaspersky-Safe-Browser.html

Overview

"Stay safe from malicious links, suspicious content and identity theft
while you surfing the Internet."

"Our Safe Browser covers the original iPhone & iPad web browser and
detects & blocks phishing sites that can steal your money & your
account details, eliminates unwanted content & notifies about spam
links - for you to surf the web without frontiers… safely."

"You will get:

- Advanced Anti-Phishing to effectively block fake websites
- Proactive detection of fraudulent links / URLs - powered by the cloud
- Content filtering to choose & block specific categories of unwanted info
- Safe internet browsing across Google, Bing, Yandex and Yahoo search engines"

(https://itunes.apple.com/us/app/kaspersky-safe-browser-fast/id723879672)

Issue

The Kaspersky Safe Browser iOS application (version 1.6.0 and below),
does not validate SSL certificates it receives when connecting to
secure sites.

Impact

An attacker who can perform a man in the middle attack may present a
bogus SSL certificate for a secure site which the application will
accept silently. Usernames, passwords and sensitive information could
be captured by an attacker without the user's knowledge.

Timeline

June 23, 2016 - Notified Kaspersky via vulnerability@...persky.com
June 23, 2016 - Kaspersky responded that they will investigate
June 27, 2016 - Kaspersky confirmed the vulnerability and advised that
the issue would be resolved in the next release
June 27, 2016 - Asked for a timeline when the new version would be released
June 30, 2016 - Kaspersky responded stating that they do not yet have
a release date
July 18, 2016 - Kaspersky advised that the update is scheduled to be
released at the end of July
July 28, 2016 - Kaspersky released version 1.7.0 which resolves this
vulnerability

Solution

Upgrade to version 1.7.0 or later

https://support.kaspersky.com/vulnerability.aspx?el=12430#280716

CVE-ID:

CVE-2016-6231

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ