Apple patches iOS interception flaw

Apple on Monday issued a new patch that fixes a vulnerability that could allow an attacker to spoof an X.509 certificate used to encrypt web sessions on 4.3.4 iOS devices.

The vulnerability is related to the way Apple validates X.509 certificates and can undermine Secure Socket Layer (SSL) and Transport Layer Security (TLS) protected sessions, Apple warned on Monday.

“Using this technique, an attacker who is able to intercept traffic from a vulnerable iOS device can craft an SSL certificate, and subsequently capture and decrypt the traffic from applications which utilize this certificate. No notification is presented to the end user, which allows the attacker to perform this attack without detection.”

The attack appears to undermine the X.509 certification process where various certificate authorities issue certificates that tie a public key to a designated name. Apple described the flaw as a “a certificate chain validation issue” that existed in the handling of X.509 certificates.
“An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS”, Apple said.

The flaw affects iOS devices from 3.0 to 4.3.4 for iPhone 3GS and 4, iPods and iPads and the patch is only available through iTunes.

Apple said it had addressed the current vulnerability through “improved validation of X.509 certificate chains.”

More information regarding the vulnerability and its update can be found on the following links:

https://support.apple.com/kb/HT4824
https://support.apple.com/kb/HT4825

Ranjeet Menon