Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

SSL vulnerability in Kaspersky iOS app could allow MitM

Security researcher David Coomber spotted a SSL certificate vulnerability in the Kaspersky Safe Browser iOS app.

The flaw (CVE-2016-6231) could allow an attacker to perform man-in-the-middle (MitM) attacks by presenting a bogus SSL certificate for a secure site which the application would silently accept, according to an advisory on Coomber's blog Info-Sec.ca.

The bug is caused by the app's failure to validate the SSL certificates it receives when connecting to secure sites and versions 1.6.0 and below are affected.

Coomber notified Kaspersky of the bug on June 23 and the issue was patched on July 28 in the release of version 1.7.0. Users are encouraged to update the app as soon as possible.

Kaspersky said in its own advisory that the “vulnerability could have been exploited only if user opens malware HTTPS link that is not detected by anti-phishing or other anti-malware engines embedded in the application.” 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.