14 DAY TRIAL // New iOS software updates are available from Cupertino for owners of GSM and CDMA iPhones and iPads, as well as iPod touch devices.
Tasked with fixing a security vulnerability with certificate validation, iOS 4.3.5 and iOS 4.2.10 are immediately available as free downloads through iTunes.
Alternately, customers can choose to download the individual IPSW files using Apple’s public links (mirrors below).
Download iPhone and iPod Firmware (Free)
The iOS 4.3.5 Software Update targets iPhone 4 (GSM model), iPhone 3GS, iPad 2, iPad, iPod touch (4th generation), and iPod touch (3rd generation).
iOS 4.2.10 is intended solely for users of an iPhone 4 CDMA model.
To install the updates, users need a Mac or Windows PC with a USB 2.0 port and iTunes 10.1 or later. Apple recommends iTunes 10.2.
So, what’s so serious about this vulnerability that Apple needed to patch straight away?
According to a couple of support documents over at Apple’s website, there’s a certificate chain validation issue in the handling of X.509 certificates in iOS.
The risk posed by this bug is that “An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS.”
“Other attacks involving X.509 certificate validation may also be possible,” Apple adds.
The Mac maker improved validation of X.509 certificate chains to address this issue.
It wasn’t Apple’s engineers who discovered the flaw, but Gregor Kopf of Recurity Labs (on behalf of BSI), and Paul Kehrer of Trustwave's SpiderLabs.
Earlier this month, Apple released iOS 4.3.4 and iOS 4.2.9 with the purpose of fixing one nasty flaw that allowed hackers to build a tool that would enable users to jailbreak their devices.
According to some reports, even the newly released iOS 4.3.5 and iOS 4.2.10 are vulnerable to the iPhone Dev Team’s Redsn0w jailbreak tool.