SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Instant Messaging/IRC/Chat)  >   iChat Vendors:   Apple Computer
iChat May Use Non-secure Communications for AIM/Jabber Accounts Configured for SSL
SecurityTracker Alert ID:  1022212
SecurityTracker URL:  http://securitytracker.com/id/1022212
CVE Reference:   CVE-2009-0152   (Links to External Site)
Date:  May 13 2009
Impact:   Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in iChat. A remote user monitoring the network between the iChat client and the server can obtain the chat data.

iChat disables SSL for AOL Instant Messenger (AIM) and Jabber accounts when unable to connect to the server. Subsequent chat connects are not encrypted until SSL is manually enabled. A remote user monitoring the network between the iChat client and the server can obtain the chat session information.

Impact:   A remote user monitoring the network between the iChat client and the server can obtain the chat data.
Solution:   The vendor has issued a fix (APPLE-SA-2009-05-12 Security Update 2009-002; and Mac OS X 10.5.7), available from the Software Update pane in System Preferences, or Apple's Software Downloads web site at:

http://www.apple.com/support/downloads/

The Software Update utility will present the update that applies
to your system configuration. Only one is needed, either
Security Update 2009-002 or Mac OS X v10.5.7.

For Mac OS X v10.5.6
The download file is named: MacOSXUpd10.5.7.dmg
Its SHA-1 digest is: 0173995ad572f2bc11d802671136e5e5c1afe116

For Mac OS X v10.5 - v10.5.5
The download file is named: MacOSXUpdCombo10.5.7.dmg
Its SHA-1 digest is: 646fd1ac31c679c6a5aebe8ac74f190ab774cd38

For Mac OS X Server v10.5.6
The download file is named: MacOSXServerUpd10.5.7.dmg
Its SHA-1 digest is: 476b1f7c0e91eb8974eee84d9ee0f064964dce6d

For Mac OS X Server v10.5 - v10.5.5
The download file is named: MacOSXServerUpdCombo10.5.7.dmg
Its SHA-1 digest is: 20230891a42cb78ca38019527b708ef1549f61ae

For Mac OS X v10.4.11 (Intel)
The download file is named: SecUpd2009-002Intel.dmg
Its SHA-1 digest is: fc0143380efaf4aa7f320d1e2a84528c8e41a000

For Mac OS X v10.4.11 (PowerPC)
The download file is named: SecUpd2009-002PPC.dmg
Its SHA-1 digest is: 9e9b69c18450a1fa81484d7366a67ae97cfc52c7

For Mac OS X Server v10.4.11 (Universal)
The download file is named: SecUpdSrvr2009-002Univ.dmg
Its SHA-1 digest is: f0048c912ae939c1b5c95db5e843b4ee6cf60c21

For Mac OS X Server v10.4.11 (PowerPC)
The download file is named: SecUpdSrvr2009-002PPC.dmg
Its SHA-1 digest is: 525d90cc0d5bc00edd3f9a44e8447492a962f571

The vendor's advisory is available at:

http://support.apple.com/kb/HT3549

Vendor URL:  support.apple.com/kb/HT3549 (Links to External Site)
Cause:   Access control error
Underlying OS:   UNIX (OS X)

Message History:   None.


 Source Message Contents

Date:  Wed, 13 May 2009 01:43:52 -0400
Subject:  Apple iChat


iChat
CVE-ID:  CVE-2009-0152
Available for:  Mac OS X v10.5 through v10.5.6,
Mac OS X Server v10.5 through v10.5.6
Impact:  iChat AIM communications configured for SSL may downgrade to
plaintext
Description:  iChat supports Secure Sockets Layer (SSL) for AOL
Instant Messenger and Jabber accounts. iChat automatically disables
SSL for AOL Instant Messenger accounts when it is unable to connect,
and sends subsequent communications in plain text until SSL is
manually re-enabled. A remote attacker with the ability to observe
network traffic from an affected system may obtain the contents of
AOL Instant Messenger conversations. This update addresses the issue
by changing the behavior of iChat to always attempt to use SSL, and
to use less secure channels only if the "Require SSL" preference is
not enabled. This issue does not affect systems prior to Mac OS X
v10.5, as they do not support SSL for iChat accounts.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC