In association with heise online

03 April 2013, 17:34

Update for Sophos Web Protection Appliance

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Sophos logo Security firm Sophos has asked that its customers install version of the Web Protection Appliance immediately. At the end of February, staff at security firm SEC Consult discovered vulnerabilities in the product's web-based user interface. Sophos has closed the security holes in the latest version.

The vulnerabilities allow attackers to harvest sensitive data such as passwords and session cookies and provide access to private certificate keys. These keys can be used to sign arbitrary certificates that could serve for man-in-the-middle attacks or phishing attacks within a company network because all clients in a network will accept the certificates.

Sophos says that SEC Consult Vulnerability Lab privately reported the security holes on 21 February. No public exploits for the vulnerabilities (CVE numbers CVE-2013-2641, CVE-2013-2642 and CVE-2013-2643) are believed to have appeared.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit