iOS updates fix certificate validation vulnerability - update
Less than two weeks after closing the Jailbreak.me hole, Apple has released versions 4.3.5 and 4.2.10 of its iOS mobile operating system. The security updates address a certificate validation issue in the way that X.509 certificates are handled.
The problem is that, although all the signatures in a certificate chain were checked, there was no checking that the issuer of intermediate certificates was in fact authorised to issue certificates. This check is performed by examining the CA bit in the "Basic Constraints" set. This meant that anyone with a valid certificate could use it to create other certificates for sites such as paypal.com or a bank, and iOS would accept the certificate as valid.
The problem Apple is fixing isn't new. Nearly nine years ago, applications using Microsoft CryptoAPI such as Internet Explorer (IE) and Outlook, and later WebKit-based browsers, contained a vulnerability in their implementation of SSL that could be used by an attacker for an active, undetectable, man-in-the-middle (MITM) attack. Users can use the sslsniff tool, which was just updated to add iOS fingerprinting support, to test to see whether they are vulnerable.
The certificate validation bug in iOS was discovered by Gregor Kopf of Recurity Labs and Paul Kehrer of Trustwave's SpiderLabs. Recurity Labs have been evaluating iOS security on behalf of Germany's Federal Office for Information Security (BSI).
The iOS updates are compatible with iPhone 4 (GSM and CDMA models), iPhone 3GS, the original iPad and iPad 2, and the 3rd and 4th generation iPod Touch. The original iPhone, iPhone 3G, and 1st and 2nd generation iPod Touches are no longer supported and, as such, no longer receive iOS updates. Users can update their iOS-based mobile devices using the latest version of iTunes.
- About the security content of iOS 4.3.5 Software Update for iPhone, security advisory from Apple.
- About the security content of iOS 4.2.10 Software Update for iPhone, security advisory from Apple.
- iOpener - How safe is your iPhone data?, a feature from The H.