Apple Releases iOS 4.3.5 to Address Security Issue With Certificate Validation

Only ten days after releasing iOS 4.3.4, Apple has just pushed out iOS 4.3.5 to address a security issue with certificate validation.

iOS 4.3.5 Software Update

Fixes a security vulnerability with certificate validation.

The new version checks in as Build 8L1, and is for the GSM iPhone 4, iPhone 3GS, all iPads, and the third- and-fourth-generation iPod touch. A separate iOS 4.2.10 (Build 8E600) is available for the CDMA iPhone.

Direct download links:
- iPhone 4 GSM
- iPhone 4 CDMA (iOS 4.2.10)
- iPhone 3GS
- iPad 2 Wi-Fi
- iPad 2 GSM
- iPad 2 CDMA
- Original iPad
- iPod touch (fourth-generation)
- iPod touch (third-generation)

Update: Some users are reporting receiving errors when attempting to connect to Apple's servers for the update, but with repeated attempts it seems as though users are able to get through.

Update 2: Apple has now posted a support document describing the security issue patched in the update. The issue has been given an identifier of CVE-2011-0228.

Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS

Description: A certificate chain validation issue existed in the handling of X.509 certificates. An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS. Other attacks involving X.509 certificate validation may also be possible. This issue is addressed through improved validation of X.509 certificate chains.