ISC StormCast for Tuesday, March 13th 2012 http://isc.sans.edu/podcastdetail.html?id=2392

OpenSSL Security Update

Published: 2012-03-12. Last Updated: 2012-03-12 20:52:58 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

OpenSSL has issued a security update for the CMS and S/MIME Bleichenbacher attack (CVE-2012-0884). "SSL/TLS applications are *NOT* affected by this problem since the SSL/TLS code does not use the PKCS#7 or CMS decryption code." [1]

OpenSSL 0.9.8u and OpenSSL 1.0.0h are available for download here.

[1] http://www.openssl.org/news/secadv_20120312.txt
[2] http://www.openssl.org/source/

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

Keywords: Advisory OpenSSL
0 comment(s)

Apple Released Safari 5.1.4

Published: 2012-03-12. Last Updated: 2012-03-12 18:06:53 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Apple released Safari 5.1.4 for Windows as well as for OS X.

This update addresses a large number of bugs in Safari itself and in WebKit. Some of the issues fixed:

- Safari for Windows: An International Domain Name (IDN) issue with look alike characters. (I just patched Safari for OS X, and oddly, Safari still appears to render .com domains using international characters vs. punny-code. Firefox and Chrome do not show international characters for .com )

- All versions of Safari: While private browsing was active, sites were still recorded in the browsing history.

- 5 different cross site scripting vulnerabilities in WebKit

- a cookie disclosure vulnerability (WebKit)

- a cross origin issue in Webkit.

- 40 or more webkit issues that could lead to arbitrary code execution.

The update should be listed eventually at the standard Apple security URL: http://support.apple.com/kb/HT1222 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

0 comment(s)

Comments


Diary Archives