What’s new in iOS 4.3.5, 4.2.10
Though it’s all but certain the bad guys know about it, Apple is at least ahead of the media curve this around. A few weeks ago Cupertino papered over a PDF vulnerability and now they’re back to put a cork into another.
IOS 4.3.5 Software Update (GSM) and iOS 4.2.10 Software Update (CDMA) both come to market with one of Apple’s typical non-descriptions.
Fixes a security vulnerability with certificate validation.”
However digging a little deeper yields a patch for a specific vulnerability:
-
- Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS
Description: A certificate chain validation issue existed in the handling of X.509 certificates. An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS. Other attacks involving X.509 certificate validation may also be possible. This issue is addressed through improved validation of X.509 certificate chains.
The key words here are “privileged network position,” which roughly translates as “the bad has physical possession of the iPhone.” So, if they’ve got your device, they can do anything they want, but apply this patch anyway.
Like July 15′s iOS 4.3.4 and 4.2.9 Updates, which addressed the famed PDF attack vector, this one targets the same devices: iPhone 4 (GSM model), iPhone 3GS, iPad 2, iPad, iPod touch and iPod touch.
