Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Apple iPhone Multiple Bugs Let Remote Users Execute Arbitrary Code and Physically Local Users Access the Device
|
|
SecurityTracker Alert ID: 1024135 |
|
SecurityTracker URL: http://securitytracker.com/id?1024135
|
|
CVE Reference:
CVE-2010-1751, CVE-2010-1752, CVE-2010-1753, CVE-2010-1754, CVE-2010-1755, CVE-2010-1756, CVE-2010-1775
(Links to External Site)
|
Date: Jun 22 2010
|
Impact:
Denial of service via local system, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 4.0
|
Description:
Several vulnerabilities were reported in Apple iPhone. A remote user can cause arbitrary code to be executed on the target user's system. A physically local user can access data. An application can infer a user's location.
A remote user can create an application that, when loaded and executed by the target user, will determine visited locations without authorization [CVE-2010-1751]. Zac White reported this vulnerability.
A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a stack overflow in CFNetwork's URL and execute arbitrary code on the target system [CVE-2010-1752]. Laurent OUDOT of TEHTRI-Security reported this vulnerability.
A remote user can create a specially crafted JPEG image that, when loaded by the target user, will trigger a memory corruption error and execution arbitrary code on the target system [CVE-2010-1753]. Ladd Van Tol of Critical Path Software reported this vulnerability.
When MobileMe is used to Remote Lock the target device while the device is unlocked in response to an alert (e.g., alert for receiving text message, alert for receiving voicemail), the passcode will be already entered when the device is unlocked [CVE-2010-1754]. Sidney San Martin of DeepTech, Inc. reported this vulnerability.
In some cases, cookie preferences in Safari are not applied until Safari is restarted [CVE-2010-1755]. A remote user can exploit this to set cookies even if the Accept Cookies preference is set to "From visited" or "Never". Jason Dent of Street Side Software reported this vulnerability.
When a user is connected to a "hidden" wireless network, the Settings application may display a different wireless network [CVE-2010-1756]. Wilfried Teiken reported this vulnerability.
A physically local user can exploit a race condition in the pairing of a device with a computer to access data for a short period after the initial boot if the device was unlocked when last powered down [CVE-2010-1775].
|
Impact:
A remote user can create a file or HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.
A physically local user can access data.
An application can infer a user's location.
|
Solution:
The vendor has issued a fix (4.0), available via iTunes.
The vendor's advisory is available at:
http://support.apple.com/kb/HT4225
|
Vendor URL: support.apple.com/kb/HT4225 (Links to External Site)
|
Cause:
Access control error, Boundary error, State error
|
Underlying OS:
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 22 Jun 2010 06:22:57 +0000
Subject: Apple iPhone
|
APPLE-SA-2010-06-21-1 iOS 4
Application Sandbox
CVE-ID: CVE-2010-1751
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: An application may be able to infer the user's location
without authorization
Description: The Application Sandbox does not prevent applications
from directly accessing the user's photo library. This may allow an
application to determine visited locations without authorization.
This issue is addressed by modifying the Application Sandbox to
prevent direct access to the user's photo library. Credit to Zac
White for reporting this issue.
CFNetwork
CVE-ID: CVE-2010-1752
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A stack overflow exists in CFNetwork's URL handling
code. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved memory handling. Credit to
Laurent OUDOT of TEHTRI-Security for reporting this issue.
ImageIO
CVE-ID: CVE-2010-1753
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Processing a maliciously crafted JPEG image may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the handling of
JPEG images. Processing a maliciously crafted JPEG image may lead to
an unexpected application termination or arbitrary code execution.
This issue is addressed through improved memory handling. Credit to
Ladd Van Tol of Critical Path Software for reporting this issue.
Passcode Lock
CVE-ID: CVE-2010-1754
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Remote Lock via MobileMe may not be effective in preventing
access
Description: If the device is unlocked in response to an alert, such
as receiving a text message or voicemail, and MobileMe is then used
to Remote Lock the device, then the next unlock of the device will
have the passcode already entered. A person with physical access to
the device will not require the passcode in this situation. This
issue is addressed by properly clearing the passcode. Credit to
Sidney San Martin of DeepTech, Inc. for reporting this issue.
Safari
CVE-ID: CVE-2010-1755
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Cookies may be set by third-party sites even when the Accept
Cookies preference is set to "From visited" or "Never"
Description: An implementation issue exists in the handling of
cookie preferences. Cookie preferences are not applied until Safari
is restarted. Cookies may be set by third-party sites even when the
Accept Cookies preference is set to "From visited" or "Never". This
issue is addressed by applying the Accept Cookies preference. Credit
to Jason Dent o Street Side Software for reporting this issue.
Settings
CVE-ID: CVE-2010-1756
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: A user may be misled as to the actual operational wireless
network
Description: A design issue exists in the Settings application. When
connected a hidden wireless network, the Settings application may
incorrectly indicate another wireless network. This issue is
addressed by properly displaying the active wireless network. Credit
to Wilfried Teiken for reporting this issue.
Passcode Lock
CVE-ID: CVE-2010-1775
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: A person with physical access to a device may be able to
access the user's data
Description: A device with a passcode set may only be paired with a
computer if the device is unlocked. A race condition permits pairing
for a short period after the initial boot, if the device was unlocked
before powering down. If the device was shut down from a locked
state, this issue does not occur. This issue is addressed through
improved checking for the locked state.
|
|
Go to the Top of This SecurityTracker Archive Page
|
