November 21st, 2008
iPhone update kills 12 security bugs
Apple has released iPhone OS 2.2 with patches for 12 documented security flaws, some very serious.
The vulnerabilities covered by the patch (which also affect iPod Touch) could allow remote code execution, information theft, software crashes and weakened encryption settings.
The skinny on this batch of updates:
- CVE-2008-2321: CoreGraphics contains memory corruption issues in the processing of arguments. Passing untrusted input to CoreGraphics via an application, such as a web browser, may lead to an unexpected application termination or arbitrary code execution. Credit to Michal Zalewski of Google for reporting this issue.
- CVE-2008-2327: Multiple uninitialized memory access issues exist in libTIFF’s handling of LZW-encoded TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
- CVE-2008-1586: A memory exhaustion issue exists in the handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected device reset. Credit to Sergio ’shadown’ Alvarez of n.runs AG for reporting this issue.
- CVE-2008-4227: The encryption level for PPTP VPN connections may revert to a previous lower setting. This update addresses the issue by properly setting the encryption preferences. Credit to Stephen Butler of the University of Illinois of Urbana-Champaign for reporting this issue.
- CVE-2008-4211: A signedness issue in Office Viewer’s handling of columns in Microsoft Excel files may result in an out-of-bounds
memory access. Viewing a maliciously crafted Microsoft Excel file may lead to an unexpected application termination or arbitrary code
execution. Apple discovered this bug internally. - CVE-2008-4228: iPhone provides the ability to make an emergency call when locked. Currently, an emergency call may be placed to any number. A person with physical access to an iPhone may take advantage of this feature to place arbitrary calls which are charged to the iPhone owner.
- CVE-2008-4229: The Passcode Lock feature is designed to prevent applications from being launched unless the correct passcode is
entered. A race condition in the handling of device settings may cause the Passcode Lock to be removed when the device is restored
from backup. This may allow a person with physical access to the device to launch applications without the passcode. Credit to Nolen Scaife for reporting this issue. - CVE-2008-4230: If an SMS message arrives while the emergency call screen is visible, the entire SMS message is displayed, even if the “Show SMS Preview” preference was set to “OFF”. This update addresses the issue by, in this situation, displaying only a notification that a SMS message has arrived, and not its content.
- CVE-2008-4231: A memory corruption issue exists in the handling of HTML table elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. Credit to Haifei Li of Fortinet’s FortiGuard Global
Security Research Team for reporting this issue. - CVE-2008-4232: Safari allows an iframe element to display content outside its boundaries, which may lead to user interface spoofing. Credit to John Resig of Mozilla Corporation for reporting this issue.
- CVE-2008-4233: If an application is launched via Safari while a call approval dialog is shown, the call will be placed. This may allow a maliciously crafted website to initiate a phone call without user interaction. Additionally, under certain circumstances it may be
possible for a maliciously crafted website to block the user’s ability to cancel dialing for a short period of time. Credit to Collin Mulliner of Fraunhofer SIT for reporting this issue. - CVE-2008-3644: Disabling autocomplete on a form field may not prevent the data in the field from being stored in the browser page cache. This may lead to the disclosure of sensitive information to a person with physical access to an unlocked device.
It should be mentioned that several known phishing and spamming flaws in iPhone are not yet addressed.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
