Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.1065 -- [Appliance][OSX]
iPhone OS 2.2 and iPhone OS for iPod touch 2.2
24 November 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: iPhone prior to 2.2
iPod touch prior to 2.2
Publisher: Apple
Operating System: Network Appliance
Mac OS X
Impact: Execute Arbitrary Code/Commands
Denial of Service
Read-only Data Access
Inappropriate Access
Provide Misleading Information
Reduced Security
Access: Remote/Unauthenticated
CVE Names: CVE-2008-4233 CVE-2008-4232 CVE-2008-4231
CVE-2008-4230 CVE-2008-4229 CVE-2008-4228
CVE-2008-4227 CVE-2008-4211 CVE-2008-3644
CVE-2008-2327 CVE-2008-2321 CVE-2008-1586
Ref: ESB-2008.1049
ESB-2008.0876
ESB-2008.0761
Original Bulletin: http://support.apple.com/kb/HT3318
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2008-11-20 iPhone OS 2.2 and iPhone OS for iPod touch 2.2
iPhone OS 2.2 and iPhone OS for iPod touch 2.2 is now available and
addresses the following issues:
CoreGraphics
CVE-ID: CVE-2008-2321
Available for: iPhone OS 1.0 through 2.1,
iPhone OS for iPod touch 1.1 through 2.1
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: CoreGraphics contains memory corruption issues in the
processing of arguments. Passing untrusted input to CoreGraphics via
an application, such as a web browser, may lead to an unexpected
application termination or arbitrary code execution. This update
addresses the issue through improved bounds checking. Credit to
Michal Zalewski of Google for reporting this issue.
ImageIO
CVE-ID: CVE-2008-2327
Available for: iPhone OS 1.0 through 2.1,
iPhone OS for iPod touch 1.1 through 2.1
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple uninitialized memory access issues exist in
libTIFF's handling of LZW-encoded TIFF images. Viewing a maliciously
crafted TIFF image may lead to an unexpected application termination
or arbitrary code execution. This update addresses the issue through
proper memory initialization and additional validation of TIFF
images.
ImageIO
CVE-ID: CVE-2008-1586
Available for: iPhone OS 1.0 through 2.1,
iPhone OS for iPod touch 1.1 through 2.1
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected device reset
Description: A memory exhaustion issue exists in the handling of
TIFF images. Viewing a maliciously crafted TIFF image may lead to an
unexpected device reset. This update addresses the issue by limiting
the amount of memory allocated to open a TIFF image. Credit to Sergio
'shadown' Alvarez of n.runs AG for reporting this issue.
Networking
CVE-ID: CVE-2008-4227
Available for: iPhone OS 1.0 through 2.1,
iPhone OS for iPod touch 1.1 through 2.1
Impact: The encryption level for PPTP VPN connections may be lower
than expected
Description: The encryption level for PPTP VPN connections may
revert to a previous lower setting. This update addresses the issue
by properly setting the encryption preferences. Credit to Stephen
Butler of the University of Illinois of Urbana-Champaign for
reporting this issue.
Office Viewer
CVE-ID: CVE-2008-4211
Available for: iPhone OS 1.0 through 2.1,
iPhone OS for iPod touch 1.1 through 2.1
Impact: Viewing a maliciously crafted Microsoft Excel file may lead
to an unexpected application termination or arbitrary code execution
Description: A signedness issue in Office Viewer's handling of
columns in Microsoft Excel files may result in an out-of-bounds
memory access. Viewing a maliciously crafted Microsoft Excel file may
lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue by ensuring that the
affected index values are not negative. Credit: Apple.
Passcode Lock
CVE-ID: CVE-2008-4228
Available for: iPhone OS 1.0 through 2.1,
iPhone OS for iPod touch 1.1 through 2.1
Impact: Emergency calls are not restricted to emergency numbers
Description: iPhone provides the ability to make an emergency call
when locked. Currently, an emergency call may be placed to any
number. A person with physical access to an iPhone may take advantage
of this feature to place arbitrary calls which are charged to the
iPhone owner. This update addresses the issue by restricting
emergency calls to a limited set of phone numbers.
Passcode Lock
CVE-ID: CVE-2008-4229
Available for: iPhone OS 1.0 through 2.1,
iPhone OS for iPod touch 1.1 through 2.1
Impact: Restoring a device from backup may not re-enable the
Passcode Lock
Description: The Passcode Lock feature is designed to prevent
applications from being launched unless the correct passcode is
entered. A race condition in the handling of device settings may
cause the Passcode Lock to be removed when the device is restored
from backup. This may allow a person with physical access to the
device to launch applications without the passcode. This update
addresses the issue by improving the system's ability to recognize
missing preferences. This issue does not affect systems prior to
iPhone OS 2.0 or iPhone OS for iPod touch 2.0. Credit to Nolen Scaife
for reporting this issue.
Passcode Lock
CVE-ID: CVE-2008-4230
Available for: iPhone OS 1.0 through 2.1,
iPhone OS for iPod touch 1.1 through 2.1
Impact: Short Message Service (SMS) messages may be revealed before
the passcode is entered
Description: If an SMS message arrives while the emergency call
screen is visible, the entire SMS message is displayed, even if the
"Show SMS Preview" preference was set to "OFF". This update
addresses the issue by, in this situation, displaying only a
notification that a SMS message has arrived, and not its content.
Safari
CVE-ID: CVE-2008-4231
Available for: iPhone OS 1.0 through 2.1,
iPhone OS for iPod touch 1.1 through 2.1
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the handling of
HTML table elements. Visiting a maliciously crafted website may lead
to an unexpected application termination or arbitrary code execution.
This update addresses the issue through improved handling of HTML
table elements. Credit to Haifei Li of Fortinet's FortiGuard Global
Security Research Team for reporting this issue.
Safari
CVE-ID: CVE-2008-4232
Available for: iPhone OS 1.0 through 2.1,
iPhone OS for iPod touch 1.1 through 2.1
Impact: Websites with embedded iframe elements may be vulnerable to
user interface spoofing
Description: Safari allows an iframe element to display content
outside its boundaries, which may lead to user interface spoofing.
This update addresses the issue by not allowing iframe elements to
display content outside their boundaries. This issue does not affect
systems prior to iPhone OS 2.0 or iPhone OS for iPod touch 2.0.
Credit to John Resig of Mozilla Corporation for reporting this issue.
Safari
CVE-ID: CVE-2008-4233
Available for: iPhone OS 1.0 through 2.1,
iPhone OS for iPod touch 1.1 through 2.1
Impact: Visiting a maliciously crafted website may initiate a phone
call without user interaction
Description: If an application is launched via Safari while a call
approval dialog is shown, the call will be placed. This may allow a
maliciously crafted website to initiate a phone call without user
interaction. Additionally, under certain circumstances it may be
possible for a maliciously crafted website to block the user's
ability to cancel dialing for a short period of time. This update
addresses the issue by properly dismissing Safari's call approval
dialog when an application is being launched via Safari. Credit to
Collin Mulliner of Fraunhofer SIT for reporting this issue.
Webkit
CVE-ID: CVE-2008-3644
Available for: iPhone OS 1.0 through 2.1,
iPhone OS for iPod touch 1.1 through 2.1
Impact: Sensitive information may be disclosed to a person with
physical access to an unlocked device
Description: Disabling autocomplete on a form field may not prevent
the data in the field from being stored in the browser page cache.
This may lead to the disclosure of sensitive information to a person
with physical access to an unlocked device. This update addresses the
issue by properly clearing the form data. Credit to an anonymous
researcher for reporting this issue.
Installation note:
This update is only available through iTunes, and will not appear in
your computer's Software Update application, or in the Apple
Downloads site. Make sure you have an internet connection and have
installed the latest version of iTunes from www.apple.com/itunes/
iTunes will automatically check Apple's update server on its weekly
schedule. When an update is detected, it will download it. When
the iPhone or iPod touch is docked, iTunes will present the user with
the option to install the update. We recommend applying the update
immediately if possible. Selecting "don't install" will present the
option the next time you connect your iPhone or iPod touch.
The automatic update process may take up to a week depending on the
day that iTunes checks for updates. You may manually obtain the
update via the "Check for Update" button within iTunes. After doing
this, the update can be applied when your iPhone or iPod touch is
docked to your computer.
To check that the iPhone or iPod touch has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update will be
"2.2 (5G77)" or later
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
iQEcBAEBAgAGBQJJJheAAAoJEHkodeiKZIkBGUAH/REuNCXKJY9ft/GyAAQuhdJW
3z8MYEeaWnIGiJJ7YJmbahb5R/HcPEohVQqnmR0U91xlInF/ujS0Sg9ilEroRdRx
OWgGjRLjEKD0h5dKHkn6JTVGeGFyLvUuStkAtzaUKgLWQXlIGRb0s6Z4zCHIbLUo
lBYCzJ7BTM+NSyo5N+XVm5D+zJZ8Q1Oq1J6WSOSdeuoflWU6Oj75uXOrSA0HsNuQ
8xyoiUsCTbRUFigjuRhts+Oyh3AN1zabh4ms9eQCkRLiSCUNV7L3Yq9xk18GHGZ5
qQFP+VBztxnT7RAf0Yr8ubEBk9OzOyFpJSg3Tr2EGjP/+BCh+4O3f9Dx5CFuk8g=
=UWvT
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSSogISh9+71yA2DNAQKLVAP+OklxbGZ4b7GQ7NcPjugAV8DJEWtbgaoS
pV/YDf/zOsSIuAL2lOM9K1sSnx2CCjMwzQ3r7fLcqRbIKuoJE7RicCDBknkf51Yy
r3RDDv5eZTSx8jJoD2+qG6V57Lq+/+A1j2wf9HnnL+JlTgfo134UqEqvYpOYH3zK
0wSGpJ9YIvE=
=Cx+g
-----END PGP SIGNATURE-----