Apple Patches Serious 2002 Vulnerability For Some Devices

  A vulnerability that dates back nine years was patched by Apple on Monday (Jul 25 2011).  Apple devices that use the iOS operating system (such as iPhone 4 and 3GS along with the third and fourth generation iPod Touch) are vulnerable to an attacker who can intercept and then decrypt secure SSL communications {Chapter 12 Security+ 3ed} using a man-in-the-middle attack {Chapter 4 Security+ 3ed}.  The updated attack tool "sslsniff" can be used to easily view user information.  Some security experts are stating that this latest attack is more serious than Firesheep (see Oct 27, Nov 3 and Nov 11 2010 blog postings).  

   This same vulnerability was also in Microsoft Windows yet it was patched back in 2002.  A Windows user will receive the warning of an "Invalid Certificate" in a browser as a warning.

   A patch is now available from Apple to fix this vulnerability.  Unfortunately, users with an original iPhone, iPhone 3G, or first- or second-generation iPod Touch cannot patch their devices because Apple no longer provides security updates for these devices.  You can download the Apple patch at http://support.apple.com/kb/HT4824.

   Stay secure!

http://www.cengage.com/community/infosec