Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ISC StormCast for Tuesday, March 13th 2012

OpenSSL Security Update

Published: 2012-03-12
Last Updated: 2012-03-12 20:52:58 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

OpenSSL has issued a security update for the CMS and S/MIME Bleichenbacher attack (CVE-2012-0884). "SSL/TLS applications are *NOT* affected by this problem since the SSL/TLS code does not use the PKCS#7 or CMS decryption code." [1]

OpenSSL 0.9.8u and OpenSSL 1.0.0h are available for download here.



Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

Keywords: Advisory OpenSSL
0 comment(s)

Apple Released Safari 5.1.4

Published: 2012-03-12
Last Updated: 2012-03-12 18:06:53 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Apple released Safari 5.1.4 for Windows as well as for OS X.

This update addresses a large number of bugs in Safari itself and in WebKit. Some of the issues fixed:

- Safari for Windows: An International Domain Name (IDN) issue with look alike characters. (I just patched Safari for OS X, and oddly, Safari still appears to render .com domains using international characters vs. punny-code. Firefox and Chrome do not show international characters for .com )

- All versions of Safari: While private browsing was active, sites were still recorded in the browsing history.

- 5 different cross site scripting vulnerabilities in WebKit

- a cookie disclosure vulnerability (WebKit)

- a cross origin issue in Webkit.

- 40 or more webkit issues that could lead to arbitrary code execution.

The update should be listed eventually at the standard Apple security URL: 

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

0 comment(s)
Diary Archives