| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHmS9PLZ-7C1kjCHtiF30-snc0HxCTk9=7hnhUTHisbZ7J7uGw@mail.gmail.com> Date: Mon, 1 Aug 2016 08:25:25 -0400 From: David Coomber <davidcoomber.infosec@...il.com> To: fulldisclosure@...lists.org, bugtraq@...urityfocus.com, cert@...t.org, vuln@...unia.com Subject: [FD] Kaspersky Safe Browser iOS Application - MITM SSL Certificate Vulnerability (CVE-2016-6231) Kaspersky Safe Browser iOS Application - MITM SSL Certificate Vulnerability (CVE-2016-6231) -- http://www.info-sec.ca/advisories/Kaspersky-Safe-Browser.html Overview "Stay safe from malicious links, suspicious content and identity theft while you surfing the Internet." "Our Safe Browser covers the original iPhone & iPad web browser and detects & blocks phishing sites that can steal your money & your account details, eliminates unwanted content & notifies about spam links - for you to surf the web without frontiers… safely." "You will get: - Advanced Anti-Phishing to effectively block fake websites - Proactive detection of fraudulent links / URLs - powered by the cloud - Content filtering to choose & block specific categories of unwanted info - Safe internet browsing across Google, Bing, Yandex and Yahoo search engines" (https://itunes.apple.com/us/app/kaspersky-safe-browser-fast/id723879672) Issue The Kaspersky Safe Browser iOS application (version 1.6.0 and below), does not validate SSL certificates it receives when connecting to secure sites. Impact An attacker who can perform a man in the middle attack may present a bogus SSL certificate for a secure site which the application will accept silently. Usernames, passwords and sensitive information could be captured by an attacker without the user's knowledge. Timeline June 23, 2016 - Notified Kaspersky via vulnerability@...persky.com June 23, 2016 - Kaspersky responded that they will investigate June 27, 2016 - Kaspersky confirmed the vulnerability and advised that the issue would be resolved in the next release June 27, 2016 - Asked for a timeline when the new version would be released June 30, 2016 - Kaspersky responded stating that they do not yet have a release date July 18, 2016 - Kaspersky advised that the update is scheduled to be released at the end of July July 28, 2016 - Kaspersky released version 1.7.0 which resolves this vulnerability Solution Upgrade to version 1.7.0 or later https://support.kaspersky.com/vulnerability.aspx?el=12430#280716 CVE-ID: CVE-2016-6231 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists