“On Apple macOS and iOS, most client applications (e.g. Safari, Mail.app, Google Chrome) use the built in system certificate validation agent to validate a X.509 certificate. An application that passes a malicious certificate to the certificate validation agent could trigger this vulnerability,” Talos reports. “Possible scenarios where this could be exploited include users connecting to a website which serves a malicious certificate to the client, Mail.app connecting to a mail server that provides a malicious certificate, or opening a malicious certificate file to import into the keychain.”
Talos reports, “This vulnerability has been responsibly disclosed to Apple and software updates have been released that address this issue for both macOS and iOS.”
Read more in the full article here.
MacDailyNews Take: Another one bites the dust!
Apple releases iOS 10.3, watchOS 3.2, and tvOS 10.2 – March 27, 2017
Apple releases macOS Sierra 10.12.4 – March 27, 2017