Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   


Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker

Category:   Device (VoIP/Phone/FAX)  >   Apple iPhone Vendors:   Apple
Apple iPhone SMS Message Processing Bugs Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1022626
SecurityTracker URL:
CVE Reference:   CVE-2009-2204   (Links to External Site)
Updated:  Jul 31 2009
Original Entry Date:  Jul 30 2009
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.0 and prior version
Description:   A vulnerability was reported in Apple iPhone. A remote user can execute arbitrary code on the target system.

A remote user can send a series of specially crafted SMS messages to execute arbitrary code on the target device.

The flaws reside in SpringBoard window manager and the CommCenter process.

The recipient of a malicious SMS message may see a square character displayed in the message.

Collin Mulliner and Charlie Miller reported this vulnerability.

Impact:   A remote user can execute arbitrary code on the target device.
Solution:   The vendor has issued a fix (3.0.1).

The fix is available via iTunes and not via Software Update or direct download.

The vendor has supplied the following installation instructions [quoted]:

This update is only available through iTunes, and will not appear in
your computer's Software Update application, or in the Apple
Downloads site. Make sure you have an internet connection and have
installed the latest version of iTunes from

iTunes will automatically check Apple's update server on its weekly
schedule. When an update is detected, it will download it. When the
iPhone is docked, iTunes will present the user with the option to
install the update. We recommend applying the update immediately if
possible. Selecting "don't install" will present the option the next
time you connect your iPhone.

The automatic update process may take up to a week depending on the
day that iTunes checks for updates. You may manually obtain the
update via the "Check for Update" button within iTunes. After doing
this, the update can be applied when your iPhone is docked to your

To check that the iPhone has been updated:

* Navigate to Settings
* Select General
* Select About. The version after applying this update will be
"3.0.1 (7A400)" or later

The vendor's advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Access control error

Message History:   None.

 Source Message Contents

[Original Message Not Available for Viewing]

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

Copyright 2015, LLC