Bodo Moeller

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 8.1 **Description** The issue concerns the QuickType feature in the Keyboards subsystem, which collects typing-prediction data from fields even when the autocomplete attribute is set to off. This behavior potentially allows attackers to discover credentials by reading credential values within unintended DOM input elements. **Recommendations** For Apple iOS versions prior to 8.1, update to version 8.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions prior to 1.3.0 OpenJDK versions prior to 1.3.0 PolarSSL versions prior to 1.3.0 **Description** The issue concerns the TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, which do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding. This allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, also known as the "Lucky Thirteen" issue. **Recommendations** For OpenSSL versions prior to 1.3.0, update to version 1.3.0 or later to resolve the issue. For OpenJDK versions prior to 1.3.0, update to version 1.3.0 or later to resolve the issue. For PolarSSL versions prior to 1.3.0, update to version 1.3.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable protocols until a patch is available.