Skip to main content
Jul 29, 2011

Important Security Update for iOS: 4.3.5 - Do it Now!

0I just updated my iPad and iPhone to iOS 4.3.5. And you should, too.

It's not often that I would talk about "point releases" of iOS software. However, this one is pretty important. Apple has just released iOS 4.3.5 for the iPhone, iPad and iPod touch, which comes only a few days after the iOS 4.3.4 release to address different security issues. However, 4.3.5 resolves a serious "security issue" having to do with certificate verification.

Why should you care? Great question, especially since Apple's fairly bland description ("Fixes a security vulnerability with certificate validation") doesn't quite explain what's up here.

I didn't appreciate it either until a meeting with David Wang yesterday from Securigin (www.securigin.com) who apprised me of the importance of this update.

At issue was Apple's "core code" that checks certificate chain validation. It was based on a 9-year old code base that had never been updated. And until now, no one had really worried about it. But the issue came to light, and based on research work done by a number of Internet security teams, Apple moved forward and patched the hole.

The problem, in a nutshell, is that a bad actor with a privileged network position (i.e., on the wire) could capture or modify data in sessions protected by SSL/TLS.

Apple's previous version of code did not properly handle the "certificate chain validation" for X.509 certificates.

Specifically, iOS's SSL certificate parsing contained a flaw where it failed to check the "basicConstraints" parameter of certificates in the chain. So, by signing a new certificate using a legitimate end entity certificate, an attacker could obtain a "valid" certificate for any domain.

So, any SSL traffic using a named certificate could be intercepted and decrypted by the issuer. The iOS user would never know that the invalid certificate was being used. This type of attack is the standard "man-in-the-middle" approach used to break encrypted communication.

More details are available at Trustwave's site ( https://www.trustwave.com/spiderlabs/advisories/TWSL2011-007.txt).

Time to update IOS, folks!

Apperian

More from the Blog
Nov 14, 2018

Securing mobile apps against reverse engineering and hacking [Podcast]

Listen to Alissa Knight interview Ken Jochims about Arxan Technologies and application s
Read more
Oct 25, 2018

Securing Connected Medical Device Apps (Infographic)

Oct 12, 2018

Your Customers Expect Your Mobile App to Work… Always

Don’t let your application protection fall behind OS updates When an organisation builds apps to provide services to its cus ...
Read more