Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2010.1066 iOS 4.2 23 November 2010 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Apple iOS 2.0 through 4.1 for iPhone 3G and later Apple iOS 2.1 through 4.1 for iPod touch (2nd generation) and later Apple iOS 3.2 through 3.2.2 for iPad Publisher: Apple Operating System: Apple iOS Impact/Access: Root Compromise -- Remote with User Interaction Execute Arbitrary Code/Commands -- Remote with User Interaction Access Privileged Data -- Remote with User Interaction Modify Arbitrary Files -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2010-4008 CVE-2010-3832 CVE-2010-3831 CVE-2010-3830 CVE-2010-3829 CVE-2010-3828 CVE-2010-3827 CVE-2010-3826 CVE-2010-3824 CVE-2010-3823 CVE-2010-3822 CVE-2010-3821 CVE-2010-3820 CVE-2010-3819 CVE-2010-3818 CVE-2010-3817 CVE-2010-3816 CVE-2010-3814 CVE-2010-3813 CVE-2010-3812 CVE-2010-3811 CVE-2010-3810 CVE-2010-3809 CVE-2010-3808 CVE-2010-3805 CVE-2010-3804 CVE-2010-3803 CVE-2010-3786 CVE-2010-3259 CVE-2010-3257 CVE-2010-3116 CVE-2010-3054 CVE-2010-3053 CVE-2010-2808 CVE-2010-2807 CVE-2010-2806 CVE-2010-2805 CVE-2010-2249 CVE-2010-1843 CVE-2010-1822 CVE-2010-1815 CVE-2010-1814 CVE-2010-1813 CVE-2010-1812 CVE-2010-1811 CVE-2010-1807 CVE-2010-1806 CVE-2010-1793 CVE-2010-1791 CVE-2010-1789 CVE-2010-1788 CVE-2010-1787 CVE-2010-1786 CVE-2010-1785 CVE-2010-1784 CVE-2010-1783 CVE-2010-1782 CVE-2010-1781 CVE-2010-1780 CVE-2010-1771 CVE-2010-1770 CVE-2010-1764 CVE-2010-1758 CVE-2010-1757 CVE-2010-1422 CVE-2010-1421 CVE-2010-1418 CVE-2010-1417 CVE-2010-1416 CVE-2010-1415 CVE-2010-1414 CVE-2010-1410 CVE-2010-1408 CVE-2010-1407 CVE-2010-1405 CVE-2010-1403 CVE-2010-1394 CVE-2010-1392 CVE-2010-1387 CVE-2010-1384 CVE-2010-1205 CVE-2010-0544 CVE-2010-0051 CVE-2010-0042 CVE-2009-1707 Reference: ASB-2010.0175 ESB-2010.1061 ESB-2010.0809 ESB-2010.0805 ESB-2010.0792 ESB-2010.0757 ESB-2010.0657 ESB-2010.0555 ESB-2010.0539 ESB-2010.0509 ESB-2010.0287 ASB-2010.0237.3 ASB-2010.0201.2 ASB-2010.0197.2 ASB-2010.0157.2 ESB-2010.1039.2 ESB-2010.0239.2 Original Bulletin: http://support.apple.com/kb/HT4456 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2010-11-22-1 iOS 4.2 iOS 4.2 is now available and addresses the following: Configuration Profiles CVE-ID: CVE-2010-3827 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: A user may be misled into installing a maliciously crafted configuration profile Description: A signature validation issue exists in the handling of configuration profiles. A maliciously crafted configuration profile may appear to have a valid signature in the configuration installation utility. This issue is addressed through improved validation of profile signatures. Credit to Barry Simpson of Bomgar Corporation for reporting this issue. CoreGraphics CVE-ID: CVE-2010-2805, CVE-2010-2806, CVE-2010-2807, CVE-2010-2808, CVE-2010-3053, CVE-2010-3054 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: Multiple vulnerabilities in FreeType 2.4.1 Description: Multiple vulnerabilities exist in FreeType 2.4.1, the most serious of which may lead to arbitrary code execution when processing a maliciously crafted font. These issues are addressed by updating FreeType to version 2.4.2. Further information is available via the FreeType site at http://www.freetype.org/ FreeType CVE-ID: CVE-2010-3814 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: Viewing a PDF document with maliciously crafted embedded fonts may allow arbitrary code execution Description: A heap buffer overflow exists in FreeType's handling of TrueType opcodes. Viewing a PDF document with maliciously crafted embedded fonts may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. iAd Content Display CVE-ID: CVE-2010-3828 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: An attacker in a privileged network position may be able to cause a call to be initiated Description: A URL handling issue exists in iAd Content Display. An iAd is requested by an application, either automatically or through explicit user action. By injecting the contents of a requested ad with a link containing a URL scheme used to initiate a call, an attacker in a privileged network position may be able to cause a call to occur. This issue is addressed by ensuring that the user is prompted before a call is initiated from a link. Credit to Aaron Sigel of vtty.com for reporting this issue. ImageIO CVE-ID: CVE-2010-2249, CVE-2010-1205 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: Multiple vulnerabilities in libpng Description: libpng is updated to version 1.4.3 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the libpng website at http://www.libpng.org/pub/png/libpng.html libxml CVE-ID: CVE-2010-4008 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in libxml's xpath handling. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of xpaths. Credit to Bui Quang Minh from Bkis (www.bkis.com) for reporting this issue. Mail CVE-ID: CVE-2010-3829 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: Mail may resolve DNS names when remote image loading is disabled Description: When WebKit encounters an HTML Link Element that requests DNS prefetching, it will perform the prefetch even if remote image loading is disabled. This may result in undesired requests to remote servers. The sender of an HTML-formatted email message could use this to determine whether the message was viewed. This issue is addressed by disabling DNS prefetching when remote image loading is disabled. Credit to Mike Cardwell of Cardwell IT Ltd. for reporting this issue. Networking CVE-ID: CVE-2010-1843 Available for: iOS 4.0 through 4.1 for iPhone 3GS and later, iOS 4.0 through 4.1 for iPod touch (3rd generation), iOS 3.2 through 3.2.2 for iPad Impact: A remote attacker may cause an unexpected system shutdown Description: A null pointer dereference issue exists in the handling of Protocol Independent Multicast (PIM) packets. By sending a maliciously crafted PIM packet, a remote attacker may cause an unexpected system shutdown. This issue is addressed through improved validation of PIM packets. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue. This issue does not affect devices running iOS versions prior to 3.2. Networking CVE-ID: CVE-2010-3830 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: Malicious code may gain system privileges Description: An invalid pointer reference exists in Networking when handling packet filter rules. This may allow malicious code running in the user's session to gain system privileges. This issue is addressed through improved handling of packet filter rules. OfficeImport CVE-ID: CVE-2010-3786 Available for: iOS 3.2 through 3.2.2 for iPad Impact: Viewing a maliciously crafted Excel file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in OfficeImport's handling of Excel files. Viewing a maliciously crafted Excel file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. This issue was addressed on iPhones in iOS 4. Credit to Tobias Klein, working with VeriSign iDefense Labs for reporting this issue. Photos CVE-ID: CVE-2010-3831 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: "Send to MobileMe" may result in the disclosure of the MobileMe account password Description: The Photos application allows users to share their pictures and movies through various means. One way is the "Send to MobileMe" button, which uploads the selected contents to the user's MobileMe Gallery. The Photos application will use HTTP Basic authentication if no other authentication mechanism is presented as available by the server. An attacker with a privileged network position may manipulate the response of the MobileMe Gallery to request basic authentication, resulting in the disclosure of the MobileMe account password. This issue is addressed by disabling support for Basic authentication. Credit to Credit to Aaron Sigel of vtty.com for reporting this issue. Safari CVE-ID: CVE-2009-1707 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: "Reset Safari" may not immediately remove website passwords from memory Description: After clicking the "Reset" button for "Reset saved names and passwords" in the "Reset Safari..." menu option, Safari may take up to 30 seconds to clear the passwords. A user with access to the device in that time window may be able to access the stored credentials. This issue is addressed by resolving the race condition that led to the delay. Credit to Philippe Couturier of izypage.com, and Andrew Wellington of The Australian National University for reporting this issue. Telephony CVE-ID: CVE-2010-3832 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 3.2 through 3.2.2 for iPad Impact: A remote attacker may be able to cause arbitrary code execution Description: A heap buffer overflow exists in the handling of Temporary Mobile Subscriber Identity (TMSI) fields in GSM mobility management. This may allow a remote attacker to cause arbitrary code execution on the baseband processor. This issue is addressed through improved bounds checking. Credit to Ralf-Philipp Weinmann of the University of Luxembourg for reporting this issue. WebKit CVE-ID: CVE-2010-3803 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow exists in WebKit's handling of strings. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. Credit to J23 for reporting this issue. WebKit CVE-ID: CVE-2010-3824 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue exists in WebKit's handling "use" elements in SVG documents. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory handling. Credit to wushi of team509 for reporting this issue. WebKit CVE-ID: CVE-2010-3816 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue exists in WebKit's handling of scrollbars. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory handling. Credit to Rohit Makasana of Google Inc. for reporting this issue. WebKit CVE-ID: CVE-2010-3809 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: An invalid cast issue exists in WebKit's handling of inline styling. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of inline styling. Credit to Abhishek Arya (Inferno) of Google Chrome Security Team for reporting this issue. WebKit CVE-ID: CVE-2010-3810 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: A maliciously crafted website may be able to spoof the address in the location bar or add arbitrary locations to the history Description: A cross-origin issue exists in WebKit's handling of the History object. A maliciously crafted website may be able to spoof the address in the location bar or add arbitrary locations to the history. This issue is addressed through improved tracking of security origins. Credit to Mike Taylor of Opera Software for reporting this issue. WebKit CVE-ID: CVE-2010-3805 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: An integer underflow exists in WebKit's handling of WebSockets. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. Credit to Keith Campbell, and Cris Neckar of Google Chrome Security Team for reporting this issue. WebKit CVE-ID: CVE-2010-3823 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue exists in WebKit's handling of Geolocation objects. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory handling. Credit to kuzzcc for reporting this issue. WebKit CVE-ID: CVE-2010-3116 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: Multiple use after free issues exist in WebKit's handling of plug-ins. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. These issues are addressed through improved memory handling. WebKit CVE-ID: CVE-2010-3812 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow exists in WebKit's handling of Text objects. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. Credit to J23 working with TippingPoint's Zero Day Initiative for reporting this issue. WebKit CVE-ID: CVE-2010-3808 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: An invalid cast issue exists in WebKit's handling of editing commands. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of editing commands. Credit to wushi of team509 for reporting this issue. WebKit CVE-ID: CVE-2010-3259 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: Visiting a malicious website may lead to the disclosure of image data from another website Description: A cross-origin issue exists in WebKit's handling of images created from "canvas" elements. Visiting a malicious website may lead to the disclosure of image data from another website. This issue is addressed through improved tracking of security origins. Credit to Isaac Dawson, and James Qiu of Microsoft and Microsoft Vulnerability Research (MSVR) for reporting this issue. WebKit CVE-ID: CVE-2010-1822 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: An invalid cast issue exists in WebKit's handling of SVG elements in non-SVG documents. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of SVG elements. Credit to wushi of team509 for reporting this issue. WebKit CVE-ID: CVE-2010-3811 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue exists in WebKit's handling of element attributes. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory handling. Credit to Michal Zalewski for reporting this issue. WebKit CVE-ID: CVE-2010-3817 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: An invalid cast issue exists in WebKit's handling of CSS 3D transforms. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of CSS 3D transforms. Credit to Abhishek Arya (Inferno) of Google Chrome Security Team for reporting this issue. WebKit CVE-ID: CVE-2010-3818 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue exists in WebKit's handling of inline text boxes. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory handling. Credit to Abhishek Arya (Inferno) of Google Chrome Security Team for reporting this issue. WebKit CVE-ID: CVE-2010-3819 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: An invalid cast issue exists in WebKit's handling of CSS boxes. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of CSS boxes. Credit to Abhishek Arya (Inferno) of Google Chrome Security Team for reporting this issue. WebKit CVE-ID: CVE-2010-3820 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: An uninitialized memory access issue exists in WebKit's handling of editable elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of editable elements. Credit: Apple. WebKit CVE-ID: CVE-2010-1789 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow exists in WebKit's handling of JavaScript string objects. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. Credit: Apple. WebKit CVE-ID: CVE-2010-1806 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue exists in WebKit's handling of elements with run-in styling. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of object pointers. Credit to wushi of team509, working with TippingPoint's Zero Day Initiative for reporting this issue. WebKit CVE-ID: CVE-2010-3257 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue exists in WebKit's handling of element focus. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory management. Credit to VUPEN Vulnerability Research Team for reporting this issue. WebKit CVE-ID: CVE-2010-3826 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: An invalid cast issue exists in WebKit's handling of colors in SVG documents. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of colors in SVG documents. Credit to Abhishek Arya (Inferno) of Google Chrome Security Team for reporting this issue. WebKit CVE-ID: CVE-2010-1807 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: An input validation issue exists in WebKit's handling of floating point data types. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of floating point values. Credit to Luke Wagner of Mozilla for reporting this issue. WebKit CVE-ID: CVE-2010-3821 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in WebKit's handling of the ':first-letter' pseudo-element in cascading stylesheets. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of the ':first-letter' pseudo- element. Credit to Cris Neckar and Abhishek Arya (Inferno) of Google Chrome Security Team for reporting this issue. WebKit CVE-ID: CVE-2010-3804 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: Websites may surreptitiously track users Description: Safari generates random numbers for JavaScript applications using a predictable algorithm. This may allow a website to track a particular Safari session without using cookies, hidden form elements, IP addresses, or other techniques. This update addresses the issue by using a stronger random number generator. Credit to Amit Klein of Trusteer for reporting this issue. WebKit CVE-ID: CVE-2010-3813 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: WebKit may perform DNS prefetching even when it is disabled Description: When WebKit encounters an HTML Link Element that requests DNS prefetching, it will perform the operation even if prefetching is disabled. This may result in undesired requests to remote servers. As an example, the sender of an HTML-formatted email message could use this to determine that the message was read. This issue is addressed trough improved handling of DNS prefetching requests. Credit to Jeff Johnson of Rogue Amoeba Software for reporting this issue. WebKit CVE-ID: CVE-2010-3822 Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: An uninitialized pointer issue exists in WebKit's handling of CSS counter styles. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of CSS counter styles. Credit to kuzzcc for reporting this issue. WebKit Available for: iOS 2.0 through 4.1 for iPhone 3G and later, iOS 2.1 through 4.1 for iPod touch (2nd generation) and later, iOS 3.2 through 3.2.2 for iPad Impact: A maliciously crafted website may be able to determine which sites a user has visited Description: A design issue exists in WebKit's handling of the CSS :visited pseudo-class. A maliciously crafted website may be able to determine which sites a user has visited. This update limits the ability of web pages to style pages based on whether links are visited. Multiple components CVE-ID: CVE-2010-0051, CVE-2010-0544, CVE-2010-0042, CVE-2010-1384, CVE-2010-1387, CVE-2010-1392, CVE-2010-1394, CVE-2010-1403, CVE-2010-1405, CVE-2010-1407, CVE-2010-1408, CVE-2010-1410, CVE-2010-1414, CVE-2010-1415, CVE-2010-1416, CVE-2010-1417, CVE-2010-1418, CVE-2010-1421, CVE-2010-1422, CVE-2010-1757, CVE-2010-1758, CVE-2010-1764, CVE-2010-1770, CVE-2010-1771, CVE-2010-1780, CVE-2010-1781, CVE-2010-1782, CVE-2010-1783, CVE-2010-1784, CVE-2010-1785, CVE-2010-1786, CVE-2010-1787, CVE-2010-1788, CVE-2010-1791, CVE-2010-1793, CVE-2010-1811, CVE-2010-1812, CVE-2010-1813, CVE-2010-1814, CVE-2010-1815 Available for: iOS 3.2 through 3.2.2 for iPad Impact: Multiple security fixes in iOS for iPad Description: This update incorporates security fixes that were provided for iPhone and iPod touch in iOS 4 and iOS 4.1. Installation note: These updates are only available through iTunes, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes will automatically check Apple's update server on its weekly schedule. When an update is detected, it will download it. When the iPhone, iPod touch or iPad is docked, iTunes will present the user with the option to install the update. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iPhone, iPod touch, or iPad. The automatic update process may take up to a week depending on the day that iTunes checks for updates. You may manually obtain the update via the Check for Updates button within iTunes. After doing this, the update can be applied when your iPhone, iPod touch, or iPad is docked to your computer. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "4.2.1 (8C148)" or later. New devices with the version "4.2 (8C134)" or "4.2 (8C134b)" already include the fixes listed in this advisory. Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) iQEcBAEBAgAGBQJM5tVgAAoJEGnF2JsdZQee89wH/iNTePjrlX6Un2dbw102FH2I 41/m3qDsb0E2gL/M0GNt1e8Kn/v/Zo5D0WOQEteGAMCjIGGa3CtBh4H0pGC/mQxn ookc6Q33j7qRtfQfRLhYd7LGXjtoltKKZ1qubs3lPxS/dP4/3uuBV8kgy2n1f8gy +p/8MaNCFoaHbJVi/v0KKRTYmMcXvOEqdTw0AXxIWpEWdt3l+aXlq5WMZGvX4vow Zvh3/Ud06IwmQ9fFmbYxCd//Sm5FNAKnEtuG0xuHo/APUAwvAcRXbdCxlvmISreb qyzwW2HHj+Rk0mdaeV2mM7+X0Mcyn4V+okjRuk4p/YttxmtYkeGuqb0xUWHKL4E= =SqUB - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFM6zfz/iFOrG6YcBERAgE5AKC38fGErpQ/a59tEZi5K7rg+YbDewCgiJUy ewfEcEA5eHXuJy3S7cbKmoc= =y1rc -----END PGP SIGNATURE-----