Kaspersky Safe Browser iOS Application - MITM SSL Certificate Vulnerability (CVE-2016-6231)
Overview
"Stay safe from malicious links, suspicious content and identity theft while you surfing the Internet."
"Our Safe Browser covers the original iPhone & iPad web browser and detects & blocks phishing sites that can steal your money & your account details, eliminates
unwanted content & notifies about spam links - for you to surf the web without frontiers… safely."
"You will get:
- Advanced Anti-Phishing to effectively block fake websites
- Proactive detection of fraudulent links / URLs - powered by the cloud
- Content filtering to choose & block specific categories of unwanted info
- Safe internet browsing across Google, Bing, Yandex and Yahoo search engines"
(https://itunes.apple.com/us/app/kaspersky-safe-browser-fast/id723879672)
Issue
The Kaspersky Safe Browser iOS application (version 1.6.0 and below), does not validate SSL certificates it receives when connecting to secure sites.
Impact
An attacker who can perform a man in the middle attack may present a bogus SSL certificate for a secure site which the application will accept silently.
Usernames, passwords and sensitive information could be captured by an attacker without the user's knowledge.
Timeline
June 23, 2016 - Notified Kaspersky via vulnerability@kaspersky.com
June 23, 2016 - Kaspersky responded that they will investigate
June 27, 2016 - Kaspersky confirmed the vulnerability and advised that the issue would be resolved in the next release
June 27, 2016 - Asked for a timeline when the new version would be released
June 30, 2016 - Kaspersky responded stating that they do not yet have a release date
July 18, 2016 - Kaspersky advised that the update is scheduled to be released at the end of July
July 28, 2016 - Kaspersky released version 1.7.0 which resolves this vulnerability
Solution
Upgrade to version 1.7.0 or later
https://support.kaspersky.com/vulnerability.aspx?el=12430#280716
Kaspersky's Pwnie Nomination For Most Epic FAIL
https://pwnies.com/httpsafe-browser/
CVE-ID:
CVE-2016-6231
Questions?
Contact Information