Monday, March 28, Apple has issued an update for iPhone and iPad. In iOS 10.3 in addition to the functional innovations was closed a dangerous vulnerability that allows attackers to steal information and execute arbitrary code.
The team Cisco Talos warned about the vulnerability in the function of the authentication of X. 509 certificates on iOS and macOS. To operate it scams enough to lure the user to a website offering a malicious X. 509 certificate.
The vulnerability exists in code responsible for parsing subpoly nameConstraints in the fields of extension of the X. 509v3 certificate. “The functions of authentication, X. 509 certificates on iOS and macOS 10.2.1 Sierra 10.12.3 there is vulnerability use-after-free. The problem potentially allows to execute arbitrary code and can be proekspluatirovat with a specially formed certificate,” write the researchers.
To perform the attack the attacker must force the victim to visit a HTTPS site or to connect to the mail server providing malicious certificate, or to import it.
The problem affects only versions of macOS Sierra 10.12.3 and iOS 10.2.1. It is possible that the vulnerability exists in earlier versions of the operating system. The experts of Cisco Talos is strongly recommended as soon as possible to install 10.3 on iOS iPhone and iPad and macOS Sierra 10.12.4 on the Mac, in order to protect the device from potential attacks.