Apple's recent security patch for iOS is a lot more critical for users of iPhone, iPad, and iPod Touch devices to install than was initially suspected, according to Chester Wisniewski, a Sophos senior security advisor.
Apple's mobile operating system is vulnerable to an updated version of a tool called sslsniff, that "allows users to easily perform man-in-the-middle attacks against SSL/TLS connections," Wisniewski wrote Wednesday on Sophos' NakedSecurity blog.
What's more the new version of sslsniff can apparently "identify vulnerable Apple devices and allows anyone to snoop on secure communications."
"This patch should be applied immediately if you log in to any service on your device, especially things like your bank or PayPal," Wisniewski writes. "Users are particularly vulnerable to this attack if they frequently use public/open WiFi."
The vulnerability is present in iOS versions 4.3.4, 4.2.9, 5.0b, and earlier. Unfortunately for users of Apple devices even just a couple of generations old, there is no fix, according to Wisniewski.
"If you are using an iPod Touch generation one or two, or an iPhone older than the 3GS, you will be perpetually vulnerable," he writes. "Owners of these devices should not use them for any purpose for which security or privacy is required."
And like a number of recently identified security vulnerabilities in Apple's Mac OS X operating system, the latest iOS vulnerability has a documented history—as a flaw originally seen in Microsoft software.
"Oddly the flaw in iOS was a widespread flaw in WebKit and Microsoft's CryptoAPI nine years ago," Wisniewski writes. "It allows any valid certificate purchased from a Certificate Authority to sign any other certificate, which the client device will then consider valid.
"This allows anyone who can capture traffic from your iPhone, iPad or iPod Touch with man-in-the-middle techniques to intercept and read any and all encrypted SSL traffic silently and without notification to the user."
Security researchers at Recurity Labs have created a website, https://issl.recurity.com, which iOS users can surf to with their devices to see if they are vulnerable. Tests by Betanews on a variety of iOS devices not using the most current version of iOS verified that the site is a reliable method for testing.