Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2010.0809
iOS 4.1 for iPhone and iPod touch
9 September 2010
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: iOS 2.0 through 4.0.2 for iPhone
iOS 2.1 through 4.0.2 for iPod touch
Publisher: Apple
Operating System: Apple iOS
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Modify Arbitrary Files -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2010-1817 CVE-2010-1815 CVE-2010-1814
CVE-2010-1813 CVE-2010-1812 CVE-2010-1811
CVE-2010-1810 CVE-2010-1809 CVE-2010-1793
CVE-2010-1791 CVE-2010-1788 CVE-2010-1787
CVE-2010-1786 CVE-2010-1785 CVE-2010-1784
CVE-2010-1783 CVE-2010-1782 CVE-2010-1781
CVE-2010-1780 CVE-2010-1771 CVE-2010-1770
CVE-2010-1764 CVE-2010-1422 CVE-2010-1421
Reference: ESB-2010.0657
ESB-2010.0509
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2010-09-08-1 iOS 4.1 for iPhone and iPod touch
iOS 4.1 for iPhone and iPod touch is now available and addresses the
following:
Accessibility
CVE-ID: CVE-2010-1809
Available for: iOS 3.0 through 4.0.2 for iPhone 3GS and later,
iOS 3.0 through 4.0.2 for iPod touch (3rd generation)
Impact: An application's use of location services may not be
announced through VoiceOver
Description: A user interface accessibility issue exists in the
settings panel for Location Services. VoiceOver does not announce the
presence of the location services icon that is shown next to an
application that has requested the user's location within the last 24
hours. This issue is addressed by ensuring that VoiceOver announces
the presence of the icon. Credit to Robin Kipp of Forever Living
Products Europe for reporting this issue.
FaceTime
CVE-ID: CVE-2010-1810
Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later
Impact: An attacker in a privileged network position may be able to
redirect FaceTime calls
Description: An issue in the handling of invalid certificates may
allow an attacker in a privileged network position to redirect
FaceTime calls. This issue is addressed through improved handling of
certificates. Credit to Aaron Sigel of vtty.com for reporting this
issue.
ImageIO
CVE-ID: CVE-2010-1811
Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later
Impact: Processing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the handling of
TIFF images. Processing a maliciously crafted TIFF image may lead to
an unexpected application termination or arbitrary code execution.
This issue is addressed through improved handling of TIFF images.
Credit: Apple.
ImageIO
CVE-ID: CVE-2010-1817
Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later
Impact: Processing a maliciously crafted GIF image may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in the handling of GIF images.
Processing a maliciously crafted GIF image may lead to an unexpected
application termination or arbitrary code execution. This issue is
addressed through improved bounds checking. Credit to Tom Ferris of
Adobe PSIRT for reporting this issue.
WebKit
CVE-ID: CVE-2010-1786
Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A use after free issue exists in WebKit's handling of
"foreignObject" elements in SVG documents. Visiting a maliciously
crafted website may lead to an unexpected application termination or
arbitrary code execution. This issue is addressed through additional
validation of SVG documents. Credit to wushi of team509, working with
TippingPoint's Zero Day Initiative for reporting this issue.
WebKit
CVE-ID: CVE-2010-1770
Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A type checking issue exists in WebKit's handling of
text nodes. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved type checking. Credit to wushi of
team509, working with TippingPoint's Zero Day Initiative for
reporting this issue.
WebKit
CVE-ID: CVE-2010-1785
Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue exists in WebKit's
handling of the ":first-letter" and ":first-line" pseudo-elements in
SVG text elements. Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution.
This issue is addressed by not rendering ":first-letter" or ":first-
line" pseudo-elements in SVG text elements. Credit to wushi of
team509, working with TippingPoint's Zero Day Initiative for
reporting this issue.
WebKit
CVE-ID: CVE-2010-1780
Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A use after free issue exists in WebKit's handling of
element focus. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved handling of element focus. Credit
to Tony Chang of Google, Inc. for reporting this issue.
WebKit
CVE-ID: CVE-2010-1793
Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A use after free issue exists in WebKit's handling of
"font-face" and "use" elements in SVG documents. Visiting a
maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution. This issue is addressed
through improved handling of "font-face" and "use" elements in SVG
documents. Credit to Aki Helin of OUSPG for reporting this issue.
WebKit
CVE-ID: CVE-2010-1421
Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may change the
contents of the clipboard
Description: A design issue exists in the implementation of the
JavaScript execCommand function. A maliciously crafted web page can
modify the contents of the clipboard without user interaction. This
issue is addressed by only allowing clipboard commands to be executed
if initiated by the user. Credit: Apple.
WebKit
CVE-ID: CVE-2010-1422
Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later
Impact: Interacting with a maliciously crafted website may result in
unexpected actions on other sites
Description: An implementation issue exists in WebKit's handling of
keyboard focus. If the keyboard focus changes during the processing
of key presses, WebKit may deliver an event to the newly-focused
frame, instead of the frame that had focus when the key press
occurred. A maliciously crafted website may be able to manipulate a
user into taking an unexpected action, such as initiating a purchase.
This issue is addressed by preventing the delivery of key press
events if the keyboard focus changes during processing. Credit to
Michal Zalewski of Google, Inc. for reporting this issue.
WebKit
CVE-ID: CVE-2010-1771
Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A use after free issue exists in WebKit's handling of
fonts. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved handling of fonts. Credit: Apple.
WebKit
CVE-ID: CVE-2010-1783
Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's handling
of dynamic modifications to text nodes. Visiting a maliciously
crafted website may lead to an unexpected application termination or
arbitrary code execution. This issue is addressed through improved
memory management.
WebKit
CVE-ID: CVE-2010-1764
Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later
Impact: Visiting a website that redirects form submissions may lead
to an information disclosure
Description: A design issue exists in WebKit's handling of HTTP
redirects. When a form submission is redirected to a website that
also does a redirection, the information contained in the submitted
form may be sent to the third site. This issue is addressed through
improved handling of HTTP redirects. Credit to Marc Worrell of
WhatWebWhat for reporting this issue.
WebKit
CVE-ID: CVE-2010-1782
Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's rendering
of inline elements. Visiting a maliciously crafted website may lead
to an unexpected application termination or arbitrary code execution.
This issue is addressed through improved bounds checking. Credit to
wushi of team509 for reporting this issue.
WebKit
CVE-ID: CVE-2010-1781
Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A double free issue exists in WebKit's rendering of
inline elements. Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution.
This issue is addressed through improved memory management. Credit to
James Robinson of Google, Inc. for reporting this issue.
WebKit
CVE-ID: CVE-2010-1784
Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's handling
of CSS counters. Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution.
This issue is addressed through improved memory management. Credit to
wushi of team509, working with TippingPoint's Zero Day Initiative for
reporting this issue.
WebKit
CVE-ID: CVE-2010-1787
Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's handling
of floating elements in SVG documents. Visiting a maliciously crafted
website may lead to an unexpected application termination or
arbitrary code execution. This issue is addressed through improved
memory management.
WebKit
CVE-ID: CVE-2010-1791
Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A signedness issue exists in WebKit's handling of
JavaScript arrays. Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution.
This issue is addressed through improved handling of JavaScript array
indices. Credit to Natalie Silvanovich for reporting this issue.
WebKit
CVE-ID: CVE-2010-1788
Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's handling
of "use" elements in SVG documents. Visiting a maliciously crafted
website may lead to an unexpected application termination or
arbitrary code execution. This issue is addressed through improved
handling of "use" elements in SVG documents. Credit to Justin Schuh
of Google, Inc. for reporting this issue.
WebKit
CVE-ID: CVE-2010-1812
Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A use after free issue exists in WebKit's handling of
selections. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved handling of selections. Credit to
Ojan Vafai of Google, Inc. for reporting this issue.
WebKit
CVE-ID: CVE-2010-1813
Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's rendering
of HTML object outlines. Visiting a maliciously crafted website may
lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved memory
management. Credit to Jose A. Vazquez of spa-s3c.blogspot.com for
reporting this issue.
WebKit
CVE-ID: CVE-2010-1814
Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's handling
of form menus. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This
issue is fixed through improved handling of form menus. Credit to
Csaba Osztrogonac of University of Szeged for reporting this issue.
WebKit
CVE-ID: CVE-2010-1815
Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A use after free issue exists in WebKit's handling of
scrollbars. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved memory management. Credit to Tony
Chang of Google, Inc for reporting this issue.
Installation note:
These updates are only available through iTunes, and will not appear
in your computer's Software Update application, or in the Apple
Downloads site. Make sure you have an Internet connection and have
installed the latest version of iTunes from www.apple.com/itunes/
iTunes will automatically check Apple's update server on its weekly
schedule. When an update is detected, it will download it. When
the iPhone or iPod touch is docked, iTunes will present the user with
the option to install the update. We recommend applying the update
immediately if possible. Selecting Don't Install will present the
option the next time you connect your iPhone or iPod touch.
The automatic update process may take up to a week depending on the
day that iTunes checks for updates. You may manually obtain the
update via the Check for Updates button within iTunes. After doing
this, the update can be applied when your iPhone or iPod touch is
docked to your computer.
To check that the iPhone or iPod touch has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update will be
"4.1 (8B117)" or later.
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)
iQEcBAEBAgAGBQJMh7o3AAoJEGnF2JsdZQeeYhIIAJxeCGgyBn4AQMbEwT3UtcF+
pWRQ+uids24pfBo3jIO9PcZeiNympy9ysau2TuNZ5QmFwwetMC0W5yjIefNiTptf
zNSitc139vkPD38TV6yk14RPYT4V1J7Eykqwt54szmCe9a3Qtn7nWVzVitfVgNEB
D/fltqKUnhcSdYt5WcMy/AIhqdAK24SuILj+uSyDxhUWjpsX0EEsSzlb6TUwZND3
vXazJIFWYeKh4qdprTnenO8bFAM50Lr/80gWZGDdloXj8aTG9BcTblxqW6jr1EcT
bsJ+4nh1YW1RDI/PXZTjoIDTdn4cD5vbgt6vOABLX85wa3cYvpfVeUXCEsG7aHY=
=2o0l
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFMiEBz/iFOrG6YcBERArYAAJ9wnob/cIYw4DctPl6EhGx80Rp5gACgjqrA
oBz3an8phsDw8AViqG9xuiU=
=FQsY
-----END PGP SIGNATURE-----