SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   OS (Other)  >   Apple iOS Vendors:   Apple Computer
Apple iOS Multiple Bugs Let Remote Users Execute Arbitrary Code and Obtain Information and Local Users Bypass Security Restrictions
SecurityTracker Alert ID:  1027552
SecurityTracker URL:  http://securitytracker.com/id/1027552
CVE Reference:   CVE-2011-1944, CVE-2011-2821, CVE-2011-2834, CVE-2011-4599, CVE-2012-3724, CVE-2012-3725, CVE-2012-3726, CVE-2012-3727, CVE-2012-3728, CVE-2012-3729, CVE-2012-3730, CVE-2012-3731, CVE-2012-3732, CVE-2012-3733, CVE-2012-3734, CVE-2012-3735, CVE-2012-3736, CVE-2012-3737, CVE-2012-3738, CVE-2012-3739, CVE-2012-3740, CVE-2012-3741, CVE-2012-3742, CVE-2012-3743, CVE-2012-3744, CVE-2012-3745, CVE-2012-3746, CVE-2012-3747   (Links to External Site)
Date:  Sep 20 2012
Impact:   Disclosure of system information, Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 6.0
Description:   Multiple vulnerabilities were reported in Apple iOS. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can obtain potentially sensitive information. A local user can execute arbitrary code. A local user can bypass security restrictions.

A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a flaw in libxml and execute arbitrary code on the target system [CVE-2011-1944, CVE-2011-2821, CVE-2011-2834]. The code will run with the privileges of the target user. Chris Evans of Google Chrome Security Team and Yang Dingning of NCNIPC, Graduate University of Chinese Academy of Sciences, reported these vulnerabilities.

A remote user can create specially crafted International Components for Unicode (ICU) data that, when loaded by the target user, will trigger a stack overflow and execute arbitrary code [CVE-2011-4599].

A remote user can create specially crafted URL that, when loaded by the target user, will trigger a flaw in CFNetwork and execute arbitrary code on the target system [CVE-2012-3724]. Erling Ellingsen of Facebook reported this vulnerability.

A remote Wi-Fi network can exploit a flaw in DHCP to determine networks that a device has previously accessed when the target device connects to the Wi-Fi network [CVE-2012-3725]. Mark Wuergler of Immunity, Inc. reported this vulnerability.

A remote user can create specially crafted JPEG image that, when loaded by the target user, will trigger a double free memory error and execute arbitrary code [CVE-2012-3726]. Phil of PKJE Consulting reported this vulnerability.

A remote user can create specially crafted IPSec racoon configuration file that, when loaded by the target user, will trigger a double free memory error and execute arbitrary code [CVE-2012-3727]. iOS Jailbreak Dream Team reported this vulnerability.

A local user trigger an invalid pointer dereference in the kernel and execute arbitrary code with system privileges [CVE-2012-3728]. iOS Jailbreak Dream Team reported this vulnerability.

A local user can trigger an uninitialized memory access issue existed in the Berkeley Packet Filter interpreter to determine kernel memory layout [CVE-2012-3729]. Dan Rosenberg reported this vulnerability.

The mail application may display the wrong attachment [CVE-2012-3730]. Angelo Prado of the salesforce.com Product Security Team reported this vulnerability.

The mail system does not properly set the Data Protection class for email attachments [CVE-2012-3731]. A user can read email attachments without having the user's passcode. Stephen Prairie of Travelers Insurance and Erich Stuntebeck of AirWatch reported this vulnerability.

A remote user can spoof the 'From' address on an S/MIME message [CVE-2012-3732]. An anonymous researcher reported this vulnerability.

When a user has multiple email addresses associated with iMessage and replies to a message, the replay may be sent from different email address [CVE-2012-3733]. Rodney S. Foley of Gnomesoft, LLC reported this vulnerability.

The Office Viewer may write unencrypted data to a temporary file [CVE-2012-3734]. Salvatore Cataudella of Open Systems Technologies reported this vulnerability.

A physically local user can briefly view the previously used third-party app on a locked device [CVE-2012-3735]. Chris Lawrence DBB reported this vulnerability.

A physically local user can exploit a flaw in the termination of FaceTime calls bypass the screen lock [CVE-2012-3736]. Ian Vitek of 2Secure AB reported this vulnerability.

A physically local user can view photos on a locked device [CVE-2012-3737]. Ade Barkah of BlueWax Inc. reported this vulnerability.

A physically local user can perform FaceTime calls on a locked device [CVE-2012-3738]. Ade Barkah of BlueWax Inc. reported this vulnerability.

A physically local user can exploit a flaw in the camera to bypass the screen lock [CVE-2012-3739]. Sebastian Spanninger of the Austrian Federal Computing Centre (BRZ) reported this vulnerability.

A physically local user can exploit a flaw in the screen lock state management to bypass the screen lock [CVE-2012-3740]. Ian Vitek of 2Secure AB reported this vulnerability.

A physically local user can make a purchase without entering the Apple ID credentials [CVE-2012-3741]. Kevin Makens of Redwood High School reported this vulnerability.

A remote web site can spoof the lock icon [CVE-2012-3742]. Boku Kihara of Lepidum reported this vulnerability.

A sandboxed app can read files in the '/var/log' directory [CVE-2012-3743].

A remote user can spoof the return address of an SMS message [CVE-2012-3744]. pod2g reported this vulnerability.

A remote user can send a specially crafted SMS message to trigger an off-by-one buffer overflow and disrupt cellular connectivity [CVE-2012-3745]. pod2g reported this vulnerability.

A local user (or app) with access to the filesystem may be able to read files that were being displayed in a UIWebView [CVE-2012-3746]. Ben Smith of Box reported this vulnerability.

A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a memory corruption error in WebKit and execute arbitrary code [CVE-2012-3747]. David Bloom of Cue reported this vulnerability.

Impact:   A remote user can create a file or HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.

A local user can bypass security restrictions.

A remote user can obtain potentially sensitive information.

A local user can execute arbitrary code with system privileges.

Solution:   The vendor has issued a fix (6.0).

The vendor's advisory is available at:

http://support.apple.com/kb/HT5503

Vendor URL:  support.apple.com/kb/HT5503 (Links to External Site)
Cause:   Access control error, Boundary error
Underlying OS:  

Message History:   None.


 Source Message Contents

Date:  Thu, 20 Sep 2012 05:53:55 +0000
Subject:  Apple iOS


Excerpt from APPLE-SA-2012-09-19-1 iOS 6

libxml
Available for:  iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact:  Viewing a maliciously crafted web page may lead to an
unexpected application termination or arbitrary code execution
Description:  Multiple vulnerabilities existed in libxml, the most
serious of which may lead to an unexpected application termination or
arbitrary code execution. These issues were addressed by applying the
relevant upstream patches.
CVE-ID
CVE-2011-1944 : Chris Evans of Google Chrome Security Team
CVE-2011-2821 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-2834 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences

International Components for Unicode
Available for:  iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact:  Applications that use ICU may be vulnerable to an unexpected
application termination or arbitrary code execution
Description:  A stack buffer overflow existed in the handling of ICU
locale IDs. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2011-4599

CFNetwork
Available for:  iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact:  Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description:  An issue existed in CFNetwork's handling of malformed
URLs. CFNetwork may send requests to an incorrect hostname, resulting
in the disclosure of sensitive information. This issue was addressed
through improvements to URL handling.
CVE-ID
CVE-2012-3724 : Erling Ellingsen of Facebook

DHCP
Available for:  iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact:  A malicious Wi-Fi network may be able to determine networks
a device has previously accessed
Description:  Upon connecting to a Wi-Fi network, iOS may broadcast
MAC addresses of previously accessed networks per the DNAv4 protocol.
This issue was addressed by disabling DNAv4 on unencrypted Wi-Fi
networks.
CVE-ID
CVE-2012-3725 : Mark Wuergler of Immunity, Inc.

ImageIO
Available for:  iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact:  Viewing a maliciously crafted JPEG image may lead to an
unexpected application termination or arbitrary code execution
Description:  A double free issue existed in ImageIO's handling of
JPEG images. This issue was addressed through improved memory
management.
CVE-ID
CVE-2012-3726 : Phil of PKJE Consulting

IPSec
Available for:  iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact:  Loading a maliciously crafted racoon configuration file may
lead to arbitrary code execution
Description:  A buffer overflow existed in the handling of racoon
configuration files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2012-3727 : iOS Jailbreak Dream Team

Kernel
Available for:  iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact:  A local user may be able to execute arbitrary code with
system privileges
Description:  An invalid pointer dereference issue existed in the
kernel's handling of packet filter ioctls. This may allow an attacker
to alter kernel memory. This issue was addressed through improved
error handling.
CVE-ID
CVE-2012-3728 : iOS Jailbreak Dream Team

Kernel
Available for:  iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact:  A local user may be able to determine kernel memory layout
Description:  An uninitialized memory access issue existed in the
Berkeley Packet Filter interpreter, which led to the disclosure of
memory content. This issue was addressed through improved memory
initialization.
CVE-ID
CVE-2012-3729 : Dan Rosenberg

Mail
Available for:  iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact:  Mail may present the wrong attachment in a message
Description:  A logic issue existed in Mail's handling of
attachments. If a subsequent mail attachment used the same Content-ID
as a previous one, the previous attachment would be displayed, even
in the case where the 2 mails originated from different senders. This
could facilitate some spoofing or phishing attacks. This issue was
addressed through improved handling of attachments.
CVE-ID
CVE-2012-3730 : Angelo Prado of the salesforce.com Product Security
Team

Mail
Available for:  iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact:  Email attachments may be read without user's passcode
Description:  A logic issue existed in Mail's use of Data Protection
on email attachments. This issue was addressed by properly setting
the Data Protection class for email attachments.
CVE-ID
CVE-2012-3731 : Stephen Prairie of Travelers Insurance, Erich
Stuntebeck of AirWatch

Mail
Available for:  iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact:  An attacker may spoof the sender of a S/MIME signed message
Description:  S/MIME signed messages displayed the untrusted 'From'
address, instead of the name associated with the message signer's
identity. This issue was addressed by displaying the address
associated with the message signer's identity when it is available.
CVE-ID
CVE-2012-3732 : An anonymous researcher

Messages
Available for:  iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact:  A user may unintentionally disclose the existence of their
email addresses
Description:  When a user had multiple email addresses associated
with iMessage, replying to a message may have resulted in the reply
being sent from a different email address. This may disclose another
email address associated to the user's account. This issue was
addressed by always replying from the email address the original
message was sent to.
CVE-ID
CVE-2012-3733 : Rodney S. Foley of Gnomesoft, LLC

Office Viewer
Available for:  iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact:  Unencrypted document data may be written to a temporary file
Description:  An information disclosure issue existed in the support
for viewing Microsoft Office files. When viewing a document, the
Office Viewer would write a temporary file containing data from the
viewed document to the temporary directory of the invoking process.
For an application that uses data protection or other encryption to
protect the user's files, this could lead to information
disclosure. This issue was addressed by avoiding creation of
temporary files when viewing Office documents.
CVE-ID
CVE-2012-3734 : Salvatore Cataudella of Open Systems Technologies

Passcode Lock
Available for:  iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact:  A person with physical access to the device could briefly
view the last used third-party app on a locked device
Description:  A logic issue existed with the display of the "Slide to
Power Off" slider on the lock screen. This issue was addressed
through improved lock state management.
CVE-ID
CVE-2012-3735 : Chris Lawrence DBB

Passcode Lock
Available for:  iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact:  A person with physical access to the device may be able to
bypass the screen lock
Description:  A logic issue existed in the termination of FaceTime
calls from the lock screen. This issue was addressed through improved
lock state management.
CVE-ID
CVE-2012-3736 : Ian Vitek of 2Secure AB

Passcode Lock
Available for:  iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact:  All photos may be accessible at the lock screen
Description:  A design issue existed in the support for viewing
photos that were taken at the lock screen. In order to determine
which photos to permit access to, the passcode lock consulted the
time at which the device was locked and compared it to the time that
a photo was taken. By spoofing the current time, an attacker could
gain access to photos that were taken before the device was locked.
This issues was addressed by explicitly keeping track of the photos
that were taken while the device was locked.
CVE-ID
CVE-2012-3737 : Ade Barkah of BlueWax Inc.

Passcode Lock
Available for:  iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact:  A person with physical access to a locked device may perform
FaceTime calls
Description:  A logic issue existed in the Emergency Dialer screen,
which permitted FaceTime calls via Voice Dialing on the locked
device. This could also disclose the user's contacts via contact
suggestions. This issue was addressed by disabling Voice Dialing on
the Emergency Dialer screen.
CVE-ID
CVE-2012-3738 : Ade Barkah of BlueWax Inc.

Passcode Lock
Available for:  iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact:  A person with physical access to the device may be able to
bypass the screen lock
Description:  Using the camera from the screen lock could in some
cases interfere with automatic lock functionality, allowing a person
with physical access to the device to bypass the Passcode Lock
screen. This issue was addressed through improved lock state
management.
CVE-ID
CVE-2012-3739 : Sebastian Spanninger of the Austrian Federal
Computing Centre (BRZ)

Passcode Lock
Available for:  iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact:  A person with physical access to the device may be able to
bypass the screen lock
Description:  A state management issue existed in the handling of the
screen lock. This issue was addressed through improved lock state
management.
CVE-ID
CVE-2012-3740 : Ian Vitek of 2Secure AB

Restrictions
Available for:  iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact:  A user may be able to make purchases without entering Apple
ID credentials
Description:  After disabling Restrictions, iOS may not ask for the
user's password during a transaction. This issue was addressed by
additional enforcement of purchase authorization.
CVE-ID
CVE-2012-3741 : Kevin Makens of Redwood High School

Safari
Available for:  iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact:  Websites may use characters with an appearance similar to
the lock icon in their titles
Description:  Websites could use a Unicode character to create a lock
icon in the page title. This icon was similar in appearance to the
icon used to indicate a secure connection, and could have lead the
user to believe a secure connection had been established. This issue
was addressed by removing these characters from page titles.
CVE-ID
CVE-2012-3742 : Boku Kihara of Lepidum

System Logs
Available for:  iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact:  Sandboxed apps may obtain system log content
Description:  Sandboxed apps had read access to /var/log directory,
which may allow them to obtain sensitive information contained in
system logs. This issue was addressed by denying sandboxed apps
access to the /var/log directory.
CVE-ID
CVE-2012-3743

Telephony
Available for:  iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact:  An SMS message may appear to have been sent by an arbitrary
user
Description:  Messages displayed the return address of an SMS message
as the sender. Return addresses may be spoofed. This issue was
addressed by always displaying the originating address instead of the
return address.
CVE-ID
CVE-2012-3744 : pod2g

Telephony
Available for:  iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact:  An SMS message may disrupt cellular connectivity
Description:  An off-by-one buffer overflow existed in the handling
of SMS user data headers. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2012-3745 : pod2g

UIKit
Available for:  iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact:  An attacker that gains access to a device's filesystem may
be able to read files that were being displayed in a UIWebView
Description:  Applications that use UIWebView may leave unencrypted
files on the file system even when a passcode is enabled. This issue
was addressed through improved use of data protection.
CVE-ID
CVE-2012-3746 : Ben Smith of Box

WebKit
Available for:  iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-2012-3747 : David Bloom of Cue

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC