Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.1274.2
iPhone OS 3.1 and iPhone OS 3.1.1 for iPod touch fix
multiple vulnerabilities
10 September 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: iPhone OS prior to 3.1
iPod touch OS prior to 3.1.1
Publisher: Apple
Operating System: Mac OS X
Network Appliance
Impact/Access: Denial of Service -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Unauthorised Access -- Console/Physical
Resolution: Patch/Upgrade
CVE Names: CVE-2009-2815 CVE-2009-2797 CVE-2009-2796
CVE-2009-2795 CVE-2009-2794 CVE-2009-2207
CVE-2009-2206 CVE-2009-2199 CVE-2009-1725
CVE-2009-1724
Original Bulletin:
http://support.apple.com/kb/HT3860
Revision History: September 10 2009: Corrected spelling mistake in title
September 10 2009: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2009-09-09-1 iPhone OS 3.1 and iPhone OS 3.1.1 for
iPod touch
iPhone OS 3.1 and iPhone OS 3.1.1 for iPod touch are now available
and address the following:
CoreAudio
CVE-ID: CVE-2009-2206
Available for: iPhone OS 1.0 through 3.0.1,
iPhone OS for iPod touch 1.1 through 3.0
Impact: Opening a maliciously crafted AAC or MP3 file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of AAC
and MP3 files. Opening a maliciously crafted AAC or MP3 file may lead
to an unexpected application termination or arbitrary code execution.
This update addresses the issue through improved bounds checking.
Credit to Tobias Klein of trapkit.de for reporting this issue.
Exchange Support
CVE-ID: CVE-2009-2794
Available for: iPhone OS 1.0 through 3.0.1,
iPhone OS for iPod touch 1.1 through 3.0
Impact: A person with physical access to a device may be able to use
it after the timeout period specified by an Exchange administrator
Description: iPhone OS provides the ability to communicate via
services provided by a Microsoft Exchange server. An administrator of
an Exchange server has the ability to specify a "Maximum inactivity
time lock" setting. This requires the user to reenter their passcode
after the expiration of the inactivity time in order to use the
Exchange services. iPhone OS allows a user to specify a "Require
Passcode" setting that may extend up to 4 hours. The "Require
Passcode" setting is not affected by the "Maximum inactivity time
lock" setting. If the user has "Require Passcode" set to a value
higher than the "Maximum inactivity time lock" setting, this would
allow a window of time for a person with physical access to use the
device, including Exchange services. This update addresses the issue
by disabling user choices for "Require Passcode" values greater than
the "Maximum inactivity time lock" setting. This issue only affects
iPhone OS 2.0 and later, and iPhone OS for iPod touch 2.0 and later.
Credit to Allan Steven, Robert Duran, Jeff Beckham of PepsiCo, Joshua
Levitsky, Michael Breton of Intel Corporation, Mike Karban of Edward
Jones, and Steve Moriarty of Agilent Technologies for reporting this
issue.
MobileMail
CVE-ID: CVE-2009-2207
Available for: iPhone OS 1.0 through 3.0.1,
iPhone OS for iPod touch 1.1 through 3.0
Impact: Deleted email messages may still be visible through a
Spotlight search
Description: Spotlight finds and allows access to deleted messages
in Mail folders on the device. This would allow a person with access
to the device to view the deleted messages. This update addresses the
issue by not including the deleted email in the Spotlight search
result. This issue only affects iPhone OS 3.0, iPhone OS 3.0.1, and
iPhone OS for iPod touch 3.0. Credit to Clickwise Software and Tony
Kavadias for reporting this issue.
Recovery Mode
CVE-ID: CVE-2009-2795
Available for: iPhone OS 1.0 through 3.0.1,
iPhone OS for iPod touch 1.1 through 3.0
Impact: A person with physical access to a locked device may be able
to access the user's data
Description: A heap buffer overflow exists in Recovery Mode command
parsing. This may allow another person with physical access to the
device to bypass the passcode, and access the user's data. This
update addresses the issue through improved bounds checking.
Telephony
CVE-ID: CVE-2009-2815
Available for: iPhone OS 1.0 through 3.0.1
Impact: Receiving a maliciously crafted SMS message may lead to an
unexpected service interruption
Description: A null pointer dereference issue exists in the handling
of SMS arrival notifications. Receiving a maliciously crafted SMS
message may lead to an unexpected service interruption. This update
addresses the issue through improved handling of incoming SMS
messages. Credit to Charlie Miller of Independent Security
Evaluators, and Collin Mulliner of Technical University Berlin for
reporting this issue.
UIKit
CVE-ID: CVE-2009-2796
Available for: iPhone OS 1.0 through 3.0.1,
iPhone OS for iPod touch 1.1 through 3.0
Impact: Passwords may be made visible
Description: When a character in a password is deleted, and the
deletion is undone, the character is briefly made visible. This may
allow a person with physical access to the device to read a password,
one character at a time. This update addresses the issue by
preventing the character from being made visible. This issue only
affects iPhone OS 3.0 and iPhone OS 3.0.1. Credit to Abraham Vegh for
reporting this issue.
WebKit
CVE-ID: CVE-2009-2797
Available for: iPhone OS 1.0 through 3.0.1,
iPhone OS for iPod touch 1.1 through 3.0
Impact: User names and passwords in URLs may be disclosed to linked
sites
Description: Safari includes the user name and password from the
original URL in the referer header. This may lead to the disclosure
of sensitive information. This update addresses the issue by not
including user names and passwords in referer headers. Credit to
James A. T. Rice of Jump Networks Ltd for reporting this issue.
WebKit
CVE-ID: CVE-2009-1725
Available for: iPhone OS 1.0 through 3.0.1,
iPhone OS for iPod touch 1.1 through 3.0
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's handling
of numeric character references. Visiting a maliciously crafted
website may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issue through
improved handling of numeric character references. Credit to Chris
Evans for reporting this issue.
WebKit
CVE-ID: CVE-2009-1724
Available for: iPhone OS 1.0 through 3.0.1,
iPhone OS for iPod touch 1.1 through 3.0
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: An issue in WebKit's handling of the parent and top
objects may result in a cross-site scripting attack when visiting a
maliciously crafted website. This update addresses the issue through
improved handling of parent and top objects.
WebKit
CVE-ID: CVE-2009-2199
Available for: iPhone OS 1.0 through 3.0.1,
iPhone OS for iPod touch 1.1 through 3.0
Impact: Look-alike characters in a URL could be used to masquerade a
website
Description: The International Domain Name (IDN) support and Unicode
fonts embedded in Safari could be used to create a URL which contains
look-alike characters. These could be used in a malicious website to
direct the user to a spoofed site that visually appears to be a
legitimate domain. This update addresses the issue by supplementing
WebKit's list of known look-alike characters. Look-alike characters
are rendered in Punycode in the address bar. Credit to Chris Weber of
Casaba Security, LLC for reporting this issue.
Installation note:
These updates are only available through iTunes, and will not appear
in your computer's Software Update application, or in the Apple
Downloads site. Make sure you have an Internet connection and have
installed the latest version of iTunes from www.apple.com/itunes/
iTunes will automatically check Apple's update server on its weekly
schedule. When an update is detected, it will download it. When
the iPhone or iPod touch is docked, iTunes will present the user with
the option to install the update. We recommend applying the update
immediately if possible. Selecting Don't Install will present the
option the next time you connect your iPhone or iPod touch.
The automatic update process may take up to a week depending on the
day that iTunes checks for updates. You may manually obtain the
update via the Check for Updates button within iTunes. After doing
this, the update can be applied when your iPhone or iPod touch is
docked to your computer.
To check that the iPhone or iPod touch has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update will be
"3.1 (7C144)" or later for iPhone, and "3.1.1 (7C145)" or later for
iPod touch.
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)
iQEcBAEBAgAGBQJKp9MgAAoJEHkodeiKZIkBCl8IALy4IOBBuJq75CMrn5ACqGY1
QDsBeH648cg2+NVzcQSVQWAADg6THhwBZmDGi0JgWvjYDwvlPNh/4Ehu9plK4sn8
iJLizBNWBQc3n5Frtzk2YpjbfCcCpWSzi406EvIFP20YOnuNJfdbTNp0468P6Lrs
nA8PRc2ARZx34kot9IL3mLQvaMzO1rBHnUCievKYaWJbJvZ6l2R9wyoTSbEsyWjr
Xdfycv0iORzDVm7EKAzOcEpa+oWz7iRbu51nDQ0qa8C4hL0K/j3tDb+l4hx8uxJf
e+1u73D288JUkGMq66yM6RT51D6U8sri09THhap/Pa/6gk5FZ5IVeYaRWznnYmc=
=OmDz
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFKqFFRNVH5XJJInbgRAvzYAJ9ZKX3ekBbXx1R3FkXZ8+I2y1Ma4gCePxWL
N1L8n7qtGBeE2zERkyTQdg0=
=sEOI
-----END PGP SIGNATURE-----