When I got my iPhone 4 this past March, the first thing I did was update the Operating System to the latest version of iOS.  The second thing I did was visit the local Apple Store as the (failed) update turned my lovely new smartphone into a very expensive paperweight. Apple very kindly replaced my phone with no questions asked, and I was impressed by the customer service at the Apple Store. I did not, however rush home to update to the latest version of iOS.When apple released iOS 4.3.5 on July 25th, I had sufficient motivation to upgrade again. iOS 4.3.5 patches a major security flaw in iOS that could allow an unscrupulous person to conduct a man-in-the-middle attack.

According to Apple, “A certificate chain validation issue existed in the handling of X.509 certificates. An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS. Other attacks involving X.509 certificate validation may also be possible. This issue is addressed through improved validation of X.509 certificate chains,” (http://support.apple.com/kb/HT4824 ).

What this means in laymen’s terms is that the security lock you and I are used to seeing to verify that our bank’s web site is secure could be compromised on iPhones and iPads running iOS versions prior to 4.3.5. An attacker could purchase a legitimate SSL certificate for a website such as hacking.com, and then sign an invalid certificate for yourbank.com.

By intercepting traffic between your browser and your bank’s web site, a man-in-the-middle attacker could provide you with what appears to be a secure connection to your bank, while stealing all the information passed on this now unsecure connection.

Recurity Labs has published a simple web site for you to verify if your iOS device is vulnerable to this exploit. Simply navigate to https://issl.recurity.com using safari on your iPhone, iPad, or iPod Touch.

If you see the web page without a warning, you have this error, and should update your OS immediately:

This is what you don’t want to see.

If, instead, you see a screen that looks like the following, your phone is updated correctly.

This message means that your iDevice is correctly updated, and protecting you.

iOS 4.3.5 is available now through iTunes, and supports the following devices:

  • iPhone 4 (GSM model)
  • iPhone 3GS
  • iPad 2
  • iPad
  • iPod touch (4th generation)
  • iPod touch (3rd generation)

Source: http://support.apple.com/kb/DL1431

Like this post? Share it!