The iOS vulnerability for which Apple (Nasdaq: AAPL) issued a security patch on July 25 is very severe, according to security experts who are warning iOS device users to apply that patch as soon as possible.
The vulnerability lies in a failure to validate SSL certificates correctly. That lets hackers use a tool called "sslsniff" to take over victims' iOS devices by using fake certificates.
Apple's patch is for iOS 3.0 through 4.3.4 for the iPhone 3GS and iPhone 4 GSM -- meaning the AT&T (NYSE: T) iPhone, iOS 3.1 through 4.3.4 for the third-generation iPod touch and later, and iOS 3.2 through 4.3.4 for the iPad.
Apple's notification stated that a certificate chain validation issue exists in the handling of X.509 certificates, and an attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS encryption.
In plain English, this means the vulnerability allows hackers to compromise users' cheap SSL certificates, then steal or modify data protected by SSL encryption.
SSL, the Secure Socket Layer protocol, is used for security on the Web.
"Everything's moving to the cloud, so SSL capabilities will become even more important as iOS offers cloud services," Michael Morgan, a senior analyst at ABI Research, told MacNewsWorld.
Apple revealed its iCloud service in June. Once up and running, the service will store new iDevice content in that cloud.
"I think Apple should take the time to tell people the patch is critical, because some people won't update their systems otherwise," Morgan added.
Apple did not immediately respond to a request for comment.
About the iOS Vulnerability
Like other operating systems, iOS validates all the signatures in a certificate chain. Its vulnerability lies in its failing to check whether intermediate certificates have valid signatures, as required by the x509 standard.
This means hackers can take an old certificate signed by a certificate authority, such as VeriSign (Nasdaq: VRSN) or Symantec (Nasdaq: SYMC), and use that to create valid signatures for other certificates and to intercept SSL traffic.
In order to check whether a certificate is valid, the OS must check the Basic Constraints extension in the certificate. This is a multi-valued extension which indicates whether a certificate was issued by a certificate authority (CA).
A genuine CA certificate must include the Basic Constraints value with the CA field set to "true," and that field is followed by a "pathlen" parameter that indicates the maximum number of CA certificates that can be included with the master certificate in a chain.
If the pathlen parameter is set to 1, for example, then there can only be two genuine CA certificates \-- the master and another one -- in the chain.
The vulnerability was first discovered in Internet Explorer by Moxie Marlinspike, who publicized it back in 2002.
Marlinspike developed the "sslsniff" tool as a proof of concept exploit for this vulnerability.
Everything Old Is New Again
"This is an old attack," pointed out Chet Wisniewski, a senior security adviser at Sophos.
"It was also in Webkit, which is in Safari, and that means Apple fixed it in their browser in 2002," Wisniewski told MacNewsWorld.
"Somehow they may have recreated the flaw when they created iOS. It is a bit strange."
Vulnerability Is for Victims
Apple's low-key approach to the security patch is in keeping with its past behavior. The company's general practice is to say nothing about vulnerabilities for a while and then suddenly release a slew of patches.
"Apple have been able to say they're more secure than some other operating systems for some time, but that's a bit of a fallacy because, in the past, they haven't been as much of a target," Richard Shim, a senior analyst at Display Search, told MacNewsWorld.
"Now, they're a big target because they're so well established," Shim stated.
The skyrocketing popularity of first the iPhone and now the iPad has changed the situation.
"In the past, people weren't trying to hack Apple so much, so Apple could back off a bit on security and focus on products," ABI Research's Morgan said.
"Now, they're big enough and important enough and, because they haven't spent as much time hardening their system as Microsoft (Nasdaq: MSFT) had to, they're becoming more of a target and may have to shift gears on security," Morgan remarked.
Apple should perhaps have been more forthcoming about the dangers of the Basic Constraints vulnerability so that users would understand they need to apply its patches as soon as possible.
On the other hand, Apple seems to be moving in the right direction with regard to security, Sophos' Wisniewski said.
"I've heard that iOS 5 may include over-the-air updates and that will be a big help," Wisniewski stated. "It's not that people don't want to update their iOS devices, it's just that it's so inconvenient because you have to plug your device into your computer first."
Source URL: