Apple Patches OS X and iOS, Provides Heartbleed Update
OS X and iOS get patched for the "triple handshake" flaw as Apple provides a Heartbleed update for its WiFi access points.Apple is updating its iOS mobile operating system, the OS X desktop operating system and the firmware on the Airport WiFi access point for security vulnerabilities with a series of security updates released on April 22. Among the patched issues, several affect both iOS and OS X, one of which is a fix for the so-called "triple handshake" attack, identified as CVE-2014-1295. "In a triple handshake attack, it was possible for an attacker to establish two connections that had the same encryption keys and handshake, insert the attacker's data in one connection and renegotiate so that the connections may be forwarded to each other," Apple warned in its advisory. "To prevent attacks based on this scenario, Secure Transport was changed so that, by default, a renegotiation must present the same server certificate as was presented in the original connection." There is also a flaw in the CFNetwork HTTP protocol implementation in both iOS and OS X; the vulnerability is identified as CVE-2014-1296.
"Set-cookie HTTP headers would be processed even if the connection closed before the header line was complete," Apple warned. "An attacker could strip security settings from the cookie by forcing the connection to close before the security settings were sent, and then obtain the value of the unprotected cookie."