Apple Fixes Certificate Validation Flaw in iOS

Apple on Friday quietly pushed out a security update to iOS that restores some certificate-validation checks that had apparently been missing from the operating system for an unspecified amount of time.

Apple released iOS 7.06 on Friday and the only content in the update was a small security fix that the company said addressed a problem with the way that iOS handled certificate validation when establishing a secure connection.

“Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps,” the Apple advisory says.

The wording of the description is interesting, as it suggests that the proper certificate-validation checks were in place at some point in iOS but were later removed somehow. The effect of an exploit against this vulnerability would be for an attacker with a man-in-the-middle position on the victim’s network would be able to read supposedly secure communications. It’s not clear when the vulnerability was introduced, but the CVE entry for the bug was reserved on Jan. 8.

“An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS,” Apple said.

Certificate validation is a key step in establishing secure sessions, as attackers often employ techniques that involve spoofing certificates for high-value sites such as Google or Yahoo in the hopes of capturing users’ confidential data, such as user IDs and passwords. If the client doesn’t check to ensure that the certificate presented is in fact valid and issued for the proper site, the security of the connection can’t be trusted.

Suggested articles