Apple plugs iPhone code execution holes

Apple plugs iPhone code execution holesApple’s long-awaited iPhone 2.1 software update was released today with patches for at least eight security vulnerabilities, some of which could lead to remote code execution attacks.

The most serious of the documented flaws affect the built-in Safari browser and could lead to code execution if an iPhone user is tricked into surfing to a booby-trapped Web site.

[ SEE: iPhone passcode lock rendered useless ]

The update also fixes the previously reported passcode lock weakness and an issue in mDNSResponder that puts users at risk of DNS cache poisoning attacks.

Here’s the skinny on the security patches in iPhone 2.1:

  • Application Sandbox (CVE-2008-3631): The Application Sandbox does not properly enforce access restrictions between third-party applications. This may allow a third-party application to read files in another third-party application’s sandbox, and lead to the disclosure of sensitive information.
  • CoreGraphics (CVE-2008-1806, CVE-2008-1807, CVE-2008-180): Multiple vulnerabilities exist in FreeType v2.3.5, the most serious of which may lead to arbitrary code execution when accessing maliciously crafted font data.
  • mDNSResponder (CVE-2008-1447): mDNSResponder provides translation between host names and IP addresses for applications that use its unicast DNS resolution API. A weakness in the DNS protocol may allow a remote attacker to perform DNS cache poisoning attacks. As a result, applications that rely on mDNSResponder for DNS may receive forged information.
  • Networking (CVE-2008-3612): TCP initial sequence numbers are sequentially generated. Predictable initial sequence numbers may allow a remote attacker to create a spoofed TCP connection or insert data into an existing TCP connection.
  • Passcode Lock (CVE-2008-3633): The Passcode Lock feature is designed to prevent applications from being launched unless the correct passcode is entered. An implementation issue in the handling of emergency calls allows users with physical access to an iPhone to launch an application without the passcode by double clicking the home button in emergency call.
  • WebKit (CVE-2008-3632): A use-after-free issue exists in WebKit’s handling of CSS import statements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of document references.

ALSO SEE: AT&T iPhones exposed to DNS cache poisioning? Or not? and Apple caught neglecting iPhone security

[Source: zdnet]