Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Apple patches OS X to protect against POODLE

Gregg Keizer | Oct. 20, 2014
POODLE, for "Padding Oracle On Downgraded Legacy Encryption," was disclosed earlier this week by a trio of Google security engineers who revealed how a design flaw in SSL (Secure Socket Layer) 3.0 could be exploited by criminals.

BEAST was the hacking tool released in September 2011 that exploited other flaws in SSL 3.0 and TLS 1.0.

But Ullrich also reported that after applying Security Update 2014-005, his POODLE detector still showed Safari as vulnerable.

"In my own testing after applying the patch, I can't see this behavior [as outlined by Apple]," Ullrich wrote in an email. "My version of Safari still happily connects to an SSLv3 server using AES as a cipher."

AES-CBC is one of the cipher suites that Google had highlighted as vulnerable to the BEAST attack, as well as to the subsequent "Lucky 13" attack unveiled in February 2013.

Ullrich said he is continuing to investigate why Safari shows as vulnerable, even after the security update has been applied.

The lack of a corresponding update for Lion from Apple yesterday confirms that the company has stopped supporting the three-year-old OS X 10.7 by cutting it off from security patches, as Computerworld assumed would happen.

Security Update 2014-005 can be retrieved by selecting "Software Update..." from the Apple menu on a Mavericks- or Mountain Lion-powered machine, or by opening the Mac App Store application and clicking the Update icon at the top right.


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.