Last Updated Jul 29, 2011 — App Management expert
Important Security Update for iOS: 4.3.5 - Do it Now!
App ManagementI just updated my iPad and iPhone to iOS 4.3.5. And you should, too.
It's not often that I would talk about "point releases" of iOS software. However, this one is pretty important. Apple has just released iOS 4.3.5 for the iPhone, iPad and iPod touch, which comes only a few days after the iOS 4.3.4 release to address different security issues. However, 4.3.5 resolves a serious "security issue" having to do with certificate verification.
Why should you care? Great question, especially since Apple's fairly bland description ("Fixes a security vulnerability with certificate validation") doesn't quite explain what's up here.
I didn't appreciate it either until a meeting with David Wang yesterday from Securigin (www.securigin.com) who apprised me of the importance of this update.
At issue was Apple's "core code" that checks certificate chain validation. It was based on a 9-year old code base that had never been updated. And until now, no one had really worried about it. But the issue came to light, and based on research work done by a number of Internet security teams, Apple moved forward and patched the hole.
The problem, in a nutshell, is that a bad actor with a privileged network position (i.e., on the wire) could capture or modify data in sessions protected by SSL/TLS.
Apple's previous version of code did not properly handle the "certificate chain validation" for X.509 certificates.
Specifically, iOS's SSL certificate parsing contained a flaw where it failed to check the "basicConstraints" parameter of certificates in the chain. So, by signing a new certificate using a legitimate end entity certificate, an attacker could obtain a "valid" certificate for any domain.
So, any SSL traffic using a named certificate could be intercepted and decrypted by the issuer. The iOS user would never know that the invalid certificate was being used. This type of attack is the standard "man-in-the-middle" approach used to break encrypted communication.
More details are available at Trustwave's site ( https://www.trustwave.com/spiderlabs/advisories/TWSL2011-007.txt).
Time to update IOS, folks!