Date: 19 June 2009
References: ESB-2009.1296
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AA-2009.0145 AUSCERT Advisory
[Win][UNIX/Linux][Mac][OSX]
HTTPS: Multiple Vulnerabilities
19 June 2009
- ---------------------------------------------------------------------------
AusCERT Advisory Summary
------------------------
Product: HTTPS
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Mac OS X
Impact: Provide Misleading Information
Reduced Security
Access: Remote/Unauthenticated
CVE Names: CVE-2009-2057 CVE-2009-2058 CVE-2009-2059
CVE-2009-2060 CVE-2009-2061 CVE-2009-2062
CVE-2009-2063 CVE-2009-2064 CVE-2009-2065
CVE-2009-2066 CVE-2009-2067 CVE-2009-2068
CVE-2009-2069 CVE-2009-2070 CVE-2009-2071
CVE-2009-2072 CVE-2009-2074 CVE-2009-2075
CVE-2009-2076 CVE-2009-2077
Member content until: Friday, July 17 2009
OVERVIEW:
A research paper from Microsoft has identified security risks
affecting all major browsers and many websites when communicating
via a proxy server. [1]
IMPACT:
Microsoft Internet Explorer, Opera, and Google Chrome are open to
man-in-the-middle attacks when displaying a certificate for a CONNECT
response page from a proxy server, spoofing an arbitrary https site by
letting a browser obtain a valid certificate, then sending the browser
a crafted 502 response page upon a subsequent request.
Apple Safari, however, does not require a cached certificate to
display a padlock icon for an https site when given a crafted CONNECT
response page.
The vulnerabilities are:
CVE-2009-2069 Microsoft Internet Explorer before 8
CVE-2009-2070 Opera
CVE-2009-2071 Google Chrome before 1.0.154.53
CVE-2009-2072 Apple Safari
Microsoft Internet Explorer, Apple Safari, Opera and Google Chrome
are vulnerable to an "SSL tampering attack", whereby the browser is
compromised via a man-in-the-middle attack through the injection of
arbitrary web script by modifying a CONNECT response.
The vulnerabilities are:
CVE-2009-2057 Microsoft Internet Explorer before 8
CVE-2009-2058 Apple Safari before 3.2.2
CVE-2009-2059 Opera, possibly before 9.25
CVE-2009-2060 Google Chrome before 1.0.154.53
Mozilla Firefox, Apple Safari and Opera, are vulnerable to a
man-in-the-middle attack via the injection of arbitrary web script
into an https site by modifying a CONNECT response.
The vulnerabilities are:
CVE-2009-2061 Mozilla Firefox before 3.0.10
CVE-2009-2062 Apple Safari before 3.2.2
CVE-2009-2063 Opera, possibly before 9.25
Mozilla Firefox, Opera, Microsoft Internet Explorer, Google Chrome
and Apple Safari are vulnerable to a man-in-the-middle attack by
the injection of arbitrary web script, in an https site, by modifying
an http page to include an https iframe that references a script file
on an http site.
The vulnerabilities are:
CVE-2009-2064 Microsoft Internet Explorer 8
CVE-2009-2065 Mozilla Firefox 3.0.10, and possibly other versions
CVE-2009-2066 Apple Safari
CVE-2009-2067 Opera
CVE-2009-2068 Google Chrome
MITIGATION:
Many of these browsers have patches available and some are in the
process of being patched. Please refer to the vendors' websites for
updates.
Fixes are available for the following:
CVE-2009-2058 Apple Safari before 3.2.2
CVE-2009-2059 Opera, possibly before 9.25
CVE-2009-2060 Google Chrome before 1.0.154.53
CVE-2009-2061 Mozilla Firefox before 3.0.10
CVE-2009-2062 Apple Safari before 3.2.2
CVE-2009-2063 Opera, possibly before 9.25
CVE-2009-2065 Mozilla Firefox 3.0.10, and possibly other versions
CVE-2009-2071 Google Chrome before 1.0.154.53
Please see the Microsoft Research page for further details on the
investigation of this vulnerability. [1]
Further details regarding the individual CVEs can be found on the
NIST website. [2]
REFERENCES:
[1] Microsoft Research
http://research.microsoft.com/apps/pubs/default.aspx?id=79323
[2] National Vulnerability Database
http://web.nvd.nist.gov
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFKOyCwNVH5XJJInbgRAoRMAJ9zHNP2GLdTzwyCfqLWK257rWRavACeMOtd
cQweudO/JtKSRiPLIaiW2AY=
=GtzG
-----END PGP SIGNATURE-----
|