Release date:
Updated on:
Affected Systems:
Apple Mac OS X
Description:
--------------------------------------------------------------------------------
Bugtraq id: 67024
CVE (CAN) ID: CVE-2014-1296
OS x (formerly Mac OS X) is the latest version of Apple's exclusive operating system developed for Mac tower computers.
In Apple Mac OS X 10.9.2, after the connection is closed before the header line is completed, the Set-Cookie HTTP header is also processed. Attackers can disable the connection before forcible security settings are sent to obtain the security settings in the cookie, then obtain the unprotected cookie value.
<* Source: Antoine Delignat-Lavaud
Link: http://support.apple.com/kb/HT1222
*>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Apple
-----
Apple has released a Security Bulletin (APPLE-SA-2014-04-22-1) and patches for this:
APPLE-SA-2014-04-22-1: APPLE-SA-2014-04-22-1 Security Update 2014-002
Link: http://support.apple.com/kb/HT1222