SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Other)  >   Apple iOS Vendors:   Apple
Apple iOS Multiple Flaws Let Remote Users Deny Service and Obtain Mail Credentials and Let Local Users Access Potentially Sensitive Information
SecurityTracker Alert ID:  1036797
SecurityTracker URL:  http://securitytracker.com/id/1036797
CVE Reference:   CVE-2016-4620, CVE-2016-4719, CVE-2016-4740, CVE-2016-4741, CVE-2016-4746, CVE-2016-4747, CVE-2016-4749   (Links to External Site)
Date:  Sep 13 2016
Impact:   Denial of service via network, Disclosure of authentication information, Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 10.0
Description:   Multiple vulnerabilities were reported in Apple iOS. A remote user can cause denial of service conditions on the target system. A remote user can access mail credentials. A local user can obtain potentially sensitive information.

A remote user in a privileged network position can exploit a flaw in iOS updates to prevent the target device from receiving software updates [CVE-2016-4741].

An application can exploit a flaw in GeoServices PlaceData to read potentially sensitive location information [CVE-2016-4719].

The iOS keyboard may cache potentially sensitive information that can be accessed by a physically local user via keyboard auto-correct suggestions [CVE-2016-4746].

A remote user in a privileged network position may be able to use untrusted certificates to intercept mail credentials [CVE-2016-4747].

A local user may be able to exploit a flaw in Handoff for Messages to view messages on a target device that is not signed in to the Messages application [CVE-2016-4740].

An application may be able to access an unencrypted version of the target document in a temporary file when AirPrint preview is used [CVE-2016-4749].

An application can exploit a flaw in sandbox profiles to obtain information from SMS draft directories and determine with whom the target user is texting [CVE-2016-4620].

Raul Siles of DinoSec, an anonymous researcher, Step Wallace, Dave Aitel, Antoine M of France, Razvan Deaconescu, Mihai Chiroiu (University POLITEHNICA of Bucharest), Luke Deshotels and William Enck (North Carolina State University), and Lucas Vincenzo Davi and Ahmad-Reza Sadeghi (TU Darmstadt) reported these vulnerabilities.

Impact:   A remote user in a privileged network position can prevent software updates.

A remote user in a privileged network position can obtain mail credentials.

A local user can obtain potentially sensitive information on the target system.

Solution:   The vendor has issued a fix (10.0, 10.0.1).

The vendor advisories are available at:

https://support.apple.com/en-us/HT207143
https://support.apple.com/en-us/HT207145

Vendor URL:  support.apple.com/en-us/HT207143 (Links to External Site)
Cause:   Access control error

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 14 2016 (Apple Issues Fix for Apple Watch) Apple iOS Multiple Flaws Let Remote Users Deny Service and Obtain Mail Credentials and Let Local Users Access Potentially Sensitive Information
Apple has issued a fix for Apple Watch.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC