SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Device (VoIP/Phone/FAX)  >   Apple iPhone Vendors:   Apple
Apple iPhone Bugs Let Remote Users Dial Phone Numbers, Execute Arbitrary Code, and Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1018752
SecurityTracker URL:  http://securitytracker.com/id/1018752
CVE Reference:   CVE-2007-3753, CVE-2007-3754, CVE-2007-3755, CVE-2007-3756, CVE-2007-3757, CVE-2007-3758, CVE-2007-3759, CVE-2007-3760, CVE-2007-4671   (Links to External Site)
Date:  Sep 28 2007
Impact:   Denial of service via network, Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.1 and prior versions
Description:   Several vulnerabilities were reported in Apple iPhone. A remote user can execute arbitrary code on the target system. A remote user can conduct cross-site scripting attacks.

A remote user within Bluetooth networking range can send specially crafted Service Discovery Protocol packets to a Bluetooth-enabled device to trigger an input validation vulnerability and execute arbitrary code [CVE-2007-3753].

Kevin Mahaffey and John Hering of Flexilis Mobile Security reported this vulnerability.

The Mail application will not notify the user if the identity of the mail server has changed or is untrusted [CVE-2007-3754]. A remote user can conduct a man-in-the-middle attack without detection.

A remote user can send mail with a 'tel:' link that, when loaded by the target user, will dial a telephone call without user confirmation [CVE-2007-3755].

Andi Baritchi of McAfee reported this vulnerability.

A remote user can create a specially crafted HTML that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser [CVE-2007-3758, CVE-2007-3760, CVE-2007-3761]. The code will originate from an arbitrary site and run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Michal Zalewski of Google Inc. reported two of these vulnerabilities and Secunia separately reported one vulnerability.

A remote user can create HTML with a specially crafted 'tel:' link that, when loaded by the target user, will dial a different telephone number than displayed when confirmation is requested [CVE-2007-3757].

Billy Hoffman and Bryan Sullivan of HP Security Labs (Formerly SPI Labs) and Eduardo Tang separately reported this vulnerability.

When the user disabled JavaScript, the change does not take effect until Safari is restarted [CVE-2007-3759].

A remote user can create specially crafted HTML that, when loaded by the target user, can access or manipulate the contents of documents served over HTTPS connections in the same domain [CVE-2007-4671].

Keigo Yamazaki of Little eArth Corporation Co., Ltd. reported this vulnerability.

Impact:   A remote user can execute arbitrary code on the target system.

A remote user can conduct man-in-the-middle attacks.

A remote user can cause different telephone numbers to be dialed.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with an arbitrary site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can obtain the URL of a parent window.

Solution:   Apple has issued a fix (iPhone v1.1.1 Update).

The Apple advisory is available at:

http://docs.info.apple.com/article.html?artnum=306586

Vendor URL:  docs.info.apple.com/article.html?artnum=306586 (Links to External Site)
Cause:   Access control error, Exception handling error, Input validation error

Message History:   This archive entry has one or more follow-up message(s) listed below.
Nov 14 2007 (Apple Issues Fix for OS X) Apple iPhone Bugs Let Remote Users Dial Phone Numbers, Execute Arbitrary Code, and Conduct Cross-Site Scripting Attacks
Apple has released a fix for Mac OS X.
Nov 15 2007 (Apple Issues Fix for Safari on Windows) Apple iPhone Bugs Let Remote Users Dial Phone Numbers, Execute Arbitrary Code, and Conduct Cross-Site Scripting Attacks
Apple has released a fix for Safari on Windows.



 Source Message Contents

Subject:  APPLE-SA-2007-09-27 iPhone v1.1.1 Update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2007-09-27 iPhone v1.1.1 Update

iPhone v1.1.1 Update is now available and addresses the following
issues:

Bluetooth
CVE-ID:  CVE-2007-3753
Impact:  An attacker within Bluetooth range may be able to cause an
unexpected application termination or arbitrary code execution
Description:  An input validation issue exists in the iPhone's
Bluetooth server. By sending maliciously-crafted Service Discovery
Protocol (SDP) packets to an iPhone with Bluetooth enabled, an
attacker may trigger the issue, which may lead to unexpected
application termination or arbitrary code execution. This update
addresses the issue by performing additional validation of SDP
packets. Credit to Kevin Mahaffey and John Hering of Flexilis Mobile
Security for reporting this issue.

Mail
CVE-ID:  CVE-2007-3754
Impact:  Checking email over untrusted networks may lead to
information disclosure via a man-in-the-middle attack
Description:  When Mail is configured to use SSL for incoming and
outgoing connections, it does not warn the user when the identity of
the mail server has changed or cannot be trusted. An attacker capable
of intercepting the connection may be able to impersonate the user's
mail server and obtain the user's email credentials or other
sensitive information. This update addresses the issue by properly
warning when the identity of the remote mail server has changed.

Mail
CVE-ID:  CVE-2007-3755
Impact:  Following a telephone ("tel:") link in Mail will dial a
phone number without confirmation
Description:  Mail supports telephone ("tel:") links to dial phone
numbers. By enticing a user to follow a telephone link in a mail
message, an attacker can cause iPhone to place a call without user
confirmation. This update addresses the issue by providing a
confirmation window before dialing a phone number via a telephone
link in Mail. Credit to Andi Baritchi of McAfee for reporting this
issue.

Safari
CVE-ID:  CVE-2007-3756
Impact:  Visiting a malicious website may lead to the disclosure of
URL contents
Description:  A design issue in Safari allows a web page to read the
URL that is currently being viewed in its parent window. By enticing
a user to visit a maliciously crafted web page, an attacker may be
able to obtain the URL of an unrelated page. This update addresses
the issue through an improved cross-domain security check. Credit to
Michal Zalewski of Google Inc. and Secunia Research for reporting
this issue.

Safari
CVE-ID:  CVE-2007-3757
Impact:  Visiting a malicious website may lead to unintended dialing
or dialing a different number than expected
Description:  Safari supports telephone ("tel:") links to dial phone
numbers. When a telephone link is selected, Safari will confirm that
the number should be dialed. A maliciously crafted telephone link may
cause a different number to be displayed during confirmation than the
one actually dialed. Exiting Safari during the confirmation process
may result in unintentional confirmation. This update addresses the
issue by properly displaying the number that will be dialed, and
requiring confirmation for telephone links. Credit to Billy Hoffman
and Bryan Sullivan of HP Security Labs (Formerly SPI Labs) and
Eduardo Tang for reporting this issue.

Safari
CVE-ID:  CVE-2007-3758
Impact:  Visiting a malicious website may lead to cross-site
scripting
Description:  A cross-site scripting vulnerability exists in Safari
that allows malicious websites to set JavaScript window properties of
websites served from a different domain. By enticing a user to visit
a maliciously crafted website, an attacker can trigger the issue,
resulting in getting or setting the window status and location of
pages served from other websites. This update addresses the issue by
providing improved access controls on these properties. Credit to
Michal Zalewski of Google Inc. for reporting this issue.

Safari
CVE-ID:  CVE-2007-3759
Impact:  Disabling JavaScript does not take effect until Safari is
restarted
Description:  Safari can be configured to enable or disable
JavaScript. This preference does not take effect until the next time
Safari is restarted. This usually occurs when the iPhone is
restarted. This may mislead users into believing that JavaScript is
disabled when it is not. This update addresses the issue by applying
the new preference prior to loading new web pages.

Safari
CVE-ID:  CVE-2007-3760
Impact:  Visiting a malicious website may result in cross-site
scripting
Description:  A cross-site scripting issue in Safari allows a
maliciously crafted website to bypass the same-origin policy using
"frame" tags. By enticing a user to visit a maliciously crafted web
page, an attacker can trigger the issue, which may lead to the
execution of JavaScript in the context of another site. This update
addresses the issue by disallowing JavaScript as an "iframe" source,
and limiting JavaScript in frame tags to the same access as the site
from which it was served. Credit to Michal Zalewski of Google Inc.
and Secunia Research for reporting this issue.

Safari
CVE-ID:  CVE-2007-3761
Impact:  Visiting a malicious website may result in cross-site
scripting
Description:  A cross-site scripting issue in Safari allows
JavaScript events to be associated with the wrong frame. By enticing
a user to visit a maliciously crafted web page, an attacker may cause
the execution of JavaScript in the context of another site. This
update addresses the issue by associating JavaScript events to the
correct source frame.

Safari
CVE-ID:  CVE-2007-4671
Impact:  JavaScript on websites may access or manipulate the contents
of documents served over HTTPS
Description:  An issue in Safari allows content served over HTTP to
alter or access content served over HTTPS in the same domain. By
enticing a user to visit a maliciously crafted web page, an attacker
may cause the execution of JavaScript in the context of HTTPS web
pages in that domain. This update addresses the issue by limiting
access between JavaScript executing in HTTP and HTTPS frames. Credit
to Keigo Yamazaki of Little eArth Corporation Co., Ltd. for reporting
this issue.

Installation note:

This update is only available through iTunes, and will not appear in
your computer's Software Update application, or in the Apple
Downloads site. Make sure you have an internet connection and have
installed the latest version of iTunes from
http://www.apple.com/itunes/

iTunes will automatically check Apple's update server on its weekly
schedule. When an update is detected, it will download it. When the
iPhone is docked, iTunes will present the user with the option to
install the update. We recommend applying the update immediately if
possible. Selecting "Don't install" will present the option the next
time you connect your iPhone.

The automatic update process may take up to a week depending on the
day that iTunes checks for updates. You may manually obtain the
update via the "Check for Update" button within iTunes. After doing
this, the update can be applied when your iPhone is docked to your
computer.

To check that the iPhone has been updated:
* Navigate to Settings
* Click General
* Click About
The Version after applying this update will be "1.1.1 (3A109a)"

Information will also be posted to the Apple Product Security
web site:  http://docs.info.apple.com/article.html?artnum=61798

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)

iQEVAwUBRvr2OMgAoqu4Rp5tAQhOzAf/TODRcrMsdx6ExKpMI9OQlqKSCloiraoI
7fbBfr4tsNls0rMxEyUmEPpCPRKNVwu2ie9Q4FAvgb3QGfqMKnT1cw2QxAUFq1rG
T7eZTGZXoDO2U2CF28sP9jZt08vPnc1yoVgNfozMrNzMn2TXa7ZUJ9LW7MYp26cO
jRk6yNQlba8dh5CjQv8MII9qa7g+V1buvvvn/yyl7Te1VeT5aqV3/LZWHd1TezB5
u9R0MPw5ALYe6nJMtlH9UXtypemmDRyEu52yguHwgCNoMz3yAoMhtH87MhQkBfTM
Aa3MA0owrF/q4D6XR6P4135apG8NFogQWLD2Det361RX6/7rg3dW2A==
=4Kd5
-----END PGP SIGNATURE-----

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list      (Security-announce@lists.apple.com)
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC