(Apple Issues Fix for iPhone) Apple Safari IDN and Unicode Support Lets Remote Users Spoof URLs
|
|
SecurityTracker Alert ID: 1022872 |
|
SecurityTracker URL: http://securitytracker.com/id/1022872
|
|
CVE Reference:
CVE-2009-2199
(Links to External Site)
|
Date: Sep 9 2009
|
Impact:
Modification of system information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 1.0 - 3.0.1
|
Description:
A vulnerability was reported in Apple Safari. A remote user can spoof URLs. Apple iPhone is affected.
A remote web site can redirect the target user to a specially crafted URL that appears to be a different URL by using International Domain Name (IDN) support and Unicode fonts to create "look-alike" characters in the URL.
Chris Weber of Casaba Security, LLC reported this vulnerability.
|
Impact:
A remote user can spoof URLs.
|
Solution:
Apple has issued a fix (3.1 (7C144) for iPhone, 3.1.1 (7C145) for iPod touch) for iPhone, which is affected by this vulnerability. The fix is available via iTunes.
The vendor's advisory is available at:
http://support.apple.com/kb/HT3860
|
Vendor URL: support.apple.com/kb/HT3860 (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Wed, 9 Sep 2009 18:20:56 -0400
Subject: Apple iPhone
|
APPLE-SA-2009-09-09-1 iPhone OS 3.1 and iPhone OS 3.1.1 for iPod touch
CVE-2009-2199
|
|
