Apple Fixes Certificate Validation Flaw in iOS

Apple on Friday quietly pushed out a security update to iOS that restores some certificate-validation checks that had apparently been missing from the operating system for an unspecified amount of time.

Apple released iOS 7.06 on Friday and the only content in the update was a small security fix that the company said addressed a problem with the way that iOS handled certificate validation when establishing a secure connection.

“Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps,” the Apple advisory says.

The wording of the description is interesting, as it suggests that the proper certificate-validation checks were in place at some point in iOS but were later removed somehow. The effect of an exploit against this vulnerability would be for an attacker with a man-in-the-middle position on the victim’s network would be able to read supposedly secure communications. It’s not clear when the vulnerability was introduced, but the CVE entry for the bug was reserved on Jan. 8.

“An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS,” Apple said.

Certificate validation is a key step in establishing secure sessions, as attackers often employ techniques that involve spoofing certificates for high-value sites such as Google or Yahoo in the hopes of capturing users’ confidential data, such as user IDs and passwords. If the client doesn’t check to ensure that the certificate presented is in fact valid and issued for the proper site, the security of the connection can’t be trusted.

Suggested articles


  • annoyme on

    OS X is also affected, how far back this goes is unknown. Programmer error, incompetence, deliberate backdoor or sabotage depending. Apple has been rushing out new OS X/iOS versions a lot more frequently (annually now) as they are in desperation mode to slap a new coat of eye candy operating system paint to push out hardware. There is a gold HTC Android phone now, Android is killing iPhone sales and that Apple's phone makes about 2/3 of their revenue. They are getting rather desperate, likely pushing their programmers too fast and mistakes are being made.
    • paikinho on

      How is android killing iPhone sales exactly? Apple has consistently sold a larger number of iPhones with each year. Apple is currently has broken all of its previous records for the last quarter alone and has the most profits of any company in human history. All of this largely based on the sale of its iPhones. With Samsung and Apple roughly making profits in the same way it seems like there are pretty much 2 equally matched industry titans going at it and the rest are scrambling for table scraps.
    • paikinho on

      and perhaps you missed the other article..... "Android devices prior to version 4.2.1 of the operating system—70 percent of the phones and tablets in circulation—have been vulnerable to a serious and simple remote code execution vulnerability in the Android browser for more than 93 weeks." This type of thing happens pretty much to every platform consistently every year. That is why they are always having contest offering money to those who can find exploits. That is why there is also a constant and steady release of security updates for every platform we have on earth.
  • Steven Fisher on

    "Quietly"? It's there in the patch notes; that's as noisy as Apple ever gets for a point release.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.