Safari 7.1 vulnerable to POODLE SSLv3 vulnerability (CVE-2014-3566)
| Originator: | pepi.zawodsky | ||
| Number: | rdar://18707303 | Date Originated: | 20-Oct-2014 03:21 PM |
| Status: | Open | Resolved: | |
| Product: | Safari | Product Version: | Version 7.1 (9537.85.10.17.1) |
| Classification: | Security | Reproducible: | Always |
Summary: Safari 7.1 vulnerable to POODLE SSLv3 vulnerability (CVE-2014-3566) Steps to Reproduce: See CVE-2014-3566 Expected Results: Apple should have turned OFF SSLv3 for Safari with Security Update 2014-005 Actual Results: Apple did not mitigate CVE-2014-3566 by turning OFF SSLv3. Regression: OS X users are left vulnerable by Apple again for who-knows-how-long. Notes: Other browsers and operating systems give users a possibility to protect themselves from damage by being able to turn off SSLv3 in their operating systems and browsers. OS X does not offer ANY option to configure transport security and leaves users vulnerable.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!