Apple ships (long overdue) iPhone security patches

Apple ships (long overdue) iPhone security patchesFinally, after months of waiting, iPhone users finally get security fixes for a batch of known software vulnerabilities.

The latest iPhone 2.0 and iPod Touch 2.0 update patches at least 13 documented vulnerabilities, including several code execution holes in the Safari (mobile) Web browser. The Safari bug that won the CanSecWest Pwn2Own contest was also patched.

In all, Apple documents eight flaws affecting Safari and another three bugs in WebKit, the open-source browser engine that powers Safari.

[ SEE: Apple caught neglecting iPhone security ]

The update also patches a CFNetwork bug that could lead to spoofing attacks on iPhone and a kernel vulnerability that could cause denial-of-service conditions.

This Apple advisory spells out the risks:

CVE-2008-0050 - A malicious HTTPS proxy server may return arbitrary data to CFNetwork in a 502 Bad Gateway error, which could allow a secure website to be spoofed.

CVE-2008-0177 - An undetected failure condition exists in the handling of packets with an IPComp header. Sending a maliciously crafted
packet to a system configured to use IPSec or IPv6 may cause an unexpected device reset.

CVE-2008-1588 - When Safari displays the current URL in the address bar, Unicode ideographic spaces are rendered. This allows a maliciously crafted website to direct the user to a spoofed site that visually appears to be a legitimate domain.

CVE-2008-1589 - When Safari accesses a website that uses a self-signed or invalid certificate, it prompts the user to accept or reject the
certificate. If the user presses the menu button while at the prompt, then on the next visit to the site, the certificate is accepted with no prompt. This may lead to the disclosure of sensitive information.

CVE-2008-2303 - A signedness issue in Safari’s handling of JavaScript array indices may result in an out-of-bounds memory access. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.

CVE-2006-2783 - Safari ignores Unicode byte order mark sequences when parsing web pages. Certain websites and web content filters attempt to sanitize input by blocking specific HTML tags. This approach to filtering may be bypassed and lead to cross-site scripting when
encountering maliciously-crafted HTML tags containing byte order mark sequences.

CVE-2008-2307 - A memory corruption issue exists in WebKit’s handling of JavaScript arrays. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.

CVE-2008-2317 - A memory corruption issue exists in WebCore’s handling of style sheet elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.

CVE-2007-6284 - A memory consumption issue exists in the handling of XML documents containing invalid UTF-8 sequences, which may lead to a denial of service.

CVE-2008-1767 - A memory corruption issue exists in the libxslt library. Viewing a maliciously crafted HTML page may lead to an unexpected application termination or arbitrary code execution.

CVE-2008-1590 - A memory corruption issue exists in JavaScriptCore’s handling of runtime garbage collection. Visiting a maliciously
crafted website may lead to an unexpected application termination or arbitrary code execution.

CVE-2008-1025 - An issue exists in WebKit’s handling of URLs containing a colon character in the host name. Accessing a maliciously crafted URL may lead to a cross-site scripting attack.

CVE-2008-1026 - A heap buffer overflow exists in WebKit’s handling of JavaScript regular expressions. The issue may be triggered via
JavaScript when processing regular expressions with large, nested repetition counts. This may lead to an unexpected application termination or arbitrary code execution. This is Charlie Miller’s Pwn2Own contest vulnerability.

* Image source: nerichards Flickr photostream (Creative Commons 2.0)

[Source: zdnet]

0 comments