"Stay safe from malicious links, suspicious content and identity theft
while you surfing the Internet."
"Our Safe Browser covers the original iPhone & iPad web browser and
detects & blocks phishing sites that can steal your money & your
account details, eliminates unwanted content & notifies about spam
links - for you to surf the web without frontiersâ?¦ safely."
"You will get:
- Advanced Anti-Phishing to effectively block fake websites
- Proactive detection of fraudulent links / URLs - powered by the cloud
- Content filtering to choose & block specific categories of unwanted info
- Safe internet browsing across Google, Bing, Yandex and Yahoo search engines"
The Kaspersky Safe Browser iOS application (version 1.6.0 and below),
does not validate SSL certificates it receives when connecting to
secure sites.
Impact
An attacker who can perform a man in the middle attack may present a
bogus SSL certificate for a secure site which the application will
accept silently. Usernames, passwords and sensitive information could
be captured by an attacker without the user's knowledge.
Timeline
June 23, 2016 - Notified Kaspersky via vulnerability (at) kaspersky (dot) com [email concealed]
June 23, 2016 - Kaspersky responded that they will investigate
June 27, 2016 - Kaspersky confirmed the vulnerability and advised that
the issue would be resolved in the next release
June 27, 2016 - Asked for a timeline when the new version would be released
June 30, 2016 - Kaspersky responded stating that they do not yet have
a release date
July 18, 2016 - Kaspersky advised that the update is scheduled to be
released at the end of July
July 28, 2016 - Kaspersky released version 1.7.0 which resolves this
vulnerability
Vulnerability (CVE-2016-6231)
--
http://www.info-sec.ca/advisories/Kaspersky-Safe-Browser.html
Overview
"Stay safe from malicious links, suspicious content and identity theft
while you surfing the Internet."
"Our Safe Browser covers the original iPhone & iPad web browser and
detects & blocks phishing sites that can steal your money & your
account details, eliminates unwanted content & notifies about spam
links - for you to surf the web without frontiersâ?¦ safely."
"You will get:
- Advanced Anti-Phishing to effectively block fake websites
- Proactive detection of fraudulent links / URLs - powered by the cloud
- Content filtering to choose & block specific categories of unwanted info
- Safe internet browsing across Google, Bing, Yandex and Yahoo search engines"
(https://itunes.apple.com/us/app/kaspersky-safe-browser-fast/id723879672
)
Issue
The Kaspersky Safe Browser iOS application (version 1.6.0 and below),
does not validate SSL certificates it receives when connecting to
secure sites.
Impact
An attacker who can perform a man in the middle attack may present a
bogus SSL certificate for a secure site which the application will
accept silently. Usernames, passwords and sensitive information could
be captured by an attacker without the user's knowledge.
Timeline
June 23, 2016 - Notified Kaspersky via vulnerability (at) kaspersky (dot) com [email concealed]
June 23, 2016 - Kaspersky responded that they will investigate
June 27, 2016 - Kaspersky confirmed the vulnerability and advised that
the issue would be resolved in the next release
June 27, 2016 - Asked for a timeline when the new version would be released
June 30, 2016 - Kaspersky responded stating that they do not yet have
a release date
July 18, 2016 - Kaspersky advised that the update is scheduled to be
released at the end of July
July 28, 2016 - Kaspersky released version 1.7.0 which resolves this
vulnerability
Solution
Upgrade to version 1.7.0 or later
https://support.kaspersky.com/vulnerability.aspx?el=12430#280716
CVE-ID:
CVE-2016-6231
[ reply ]