Apple issued security updates to both versions of its iOS – 4.3.5 and 4.2.10. Version 4.3.5 is the update for iPhone 3GS and iPhone 4 (GSM), iPad, and 3rd generation or later iPod Touch, whereas 4.2.10 is the software update for iOS running on iPhone 4 (CDMA) devices.
According to the support document published by Apple, the security update fixed “a certificate chain validation issue” for these devices “in the handling of X.509 certificates”. Apple advised that the flaw being fixed could allow for attackers “with a privileged network position to capture or modify data in sessions protected by SSL/TLS”.
The company added that other attacks were also possible via this exploit and that the security update has fixed the problem via “improved validation of X.509 certificate chains”.
Apple credited Gregor Kopf of Recurity Labs, on behalf of the British Standards Institution (BSI), as well as Paul Kehrer of Trustwave’s SpiderLabs for discovering the vulnerability.