This article originally appeared in TidBITS on 2011-07-25 at 2:04 p.m.
The permanent URL for this article is: http://tidbits.com/article/12373
Include images: Off

iOS 4.3.5 and 4.2.10 Fix SSL Vulnerability

by Adam C. Engst

Apple has released iOS 4.3.5 [1] for the GSM iPhone 4 and 3GS, the iPad and iPad 2, and the 3rd and 4th generations of the iPod touch, along with iOS 4.2.10 [2] for the CDMA iPhone 4. Both updates address a security vulnerability associated with the handling of X.509 certificates, which could enable an attacker with a privileged network position to capture or even modify data in sessions protected by SSL/TLS.

It’s interesting that this is the second small security update that Apple has released for iOS in the last 10 days (see “iOS 4.3.4 and 4.2.9 Fix PDF Vulnerability [3],” 15 July 2011), which implies the vulnerabilities have been quite serious, or at least well known.

The updates are available only via iTunes, and despite the minimal changes, they’re big, so allot plenty of time to download and install. To get the update, you may have to click the Check for Updates button in the Version section of the Summary pane of iTunes when your iOS device is connected, since it can take up to a week for iTunes to notice that there’s a new update (presumably Apple doesn’t see the need to check constantly given that iOS updates are unlikely to appear so frequently).

[1]: http://support.apple.com/kb/HT4824
[2]: http://support.apple.com/kb/HT4825
[3]: http://tidbits.com/article/12331