CSIRTUK advisories

ID: 3659
Date: 15/07/2008

---

Title: 3659 - APPLE-SA-2008-07-11 iPhone 2.0 and iPod touch 2.0
Platform level affected:Net Application - Client
Hardware components affected:Apple MAC
Specific operating systems components affected: Other
Other software: Web Browser
Remediation Summary:Update your copy of the software with the download available from the supplier.
Vendors affected:Apple
Applications affected:iPhone 2.0; iPod touch
Adversity source: Unknown
Attack Vector: Vulnerability exploitation
Virulence: Unknown
Warning Status: Unknown
Potential Damage: Host DoS
Possible Duration: Unknown
Availability of fix: Available
Type of fix: Patch
Source: Apple
Reliability of source: Trusted
Source URL: http://support.apple.com/kb/HT1222
Abstract: Apple have announced that versions iPhone 2.0 and iPod touch 2.0 are now available that address a number of security issues.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2008-07-11 iPhone 2.0 and iPod touch 2.0

iPhone 2.0 and iPod touch 2.0 are now available and address the following issues:

CFNetwork
CVE-ID:  CVE-2008-0050
Available for:  iPhone v1.0 through v1.1.4, iPod touch v1.1 through v1.1.4
Impact:  A malicious proxy server may spoof secure websites
Description:  A malicious HTTPS proxy server may return arbitrary data to CFNetwork in a 502 Bad Gateway error, which could allow a secure website to be spoofed. This update addresses the issue by not returning the proxy-supplied data on an error condition.

Kernel
CVE-ID:  CVE-2008-0177
Available for:  iPhone v1.0 through v1.1.4, iPod touch v1.1 through v1.1.4
Impact:  A remote attacker may be able to cause an unexpected device reset
Description:  An undetected failure condition exists in the handling of packets with an IPComp header. Sending a maliciously crafted packet to a system configured to use IPSec or IPv6 may cause an unexpected device reset. This update addresses the issue by properly detecting the failure condition.

Safari
CVE-ID:  CVE-2008-1588
Available for:  iPhone v1.0 through v1.1.4, iPod touch v1.1 through v1.1.4
Impact:  Unicode ideographic spaces may be used to spoof a website
Description:  When Safari displays the current URL in the address bar, Unicode ideographic spaces are rendered. This allows a maliciously crafted website to direct the user to a spoofed site that visually appears to be a legitimate domain. This update addresses the issue by not rendering Unicode ideographic spaces in the address bar.

Safari
CVE-ID:  CVE-2008-1589
Available for:  iPhone v1.0 through v1.1.4, iPod touch v1.1 through v1.1.4
Impact:  Visiting a maliciously crafted website may lead to the disclosure of sensitive information
Description:  When Safari accesses a website that uses a self-signed or invalid certificate, it prompts the user to accept or reject the certificate. If the user presses the menu button while at the prompt, then on the next visit to the site, the certificate is accepted with no prompt. This may lead to the disclosure of sensitive information.
This update addresses the issue through improved handling of certificates. Credit to Hiromitsu Takagi for reporting this issue.

Safari
CVE-ID:  CVE-2008-2303
Available for:  iPhone v1.0 through v1.1.4, iPod touch v1.1 through v1.1.4
Impact:  Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description:  A signedness issue in Safari's handling of JavaScript array indices may result in an out-of-bounds memory access. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript array indices. Credit to SkyLined of Google for reporting this issue.

Safari
CVE-ID:  CVE-2006-2783
Available for:  iPhone v1.0 through v1.1.4, iPod touch v1.1 through v1.1.4
Impact:  Visiting a maliciously crafted website may lead to cross- site scripting
Description:  Safari ignores Unicode byte order mark sequences when parsing web pages. Certain websites and web content filters attempt to sanitize input by blocking specific HTML tags. This approach to filtering may be bypassed and lead to cross-site scripting when encountering maliciously-crafted HTML tags containing byte order mark sequences. This update addresses the issue through improved handling of byte order mark sequences. Credit to Chris Weber of Casaba Security, LLC for reporting this issue.

Safari
CVE-ID:  CVE-2008-2307
Available for:  iPhone v1.0 through v1.1.4, iPod touch v1.1 through v1.1.4
Impact:  Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description:  A memory corruption issue exists in WebKit's handling of JavaScript arrays. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
This update addresses the issue through improved bounds checking.
Credit to James Urquhart for reporting this issue.

Safari
CVE-ID:  CVE-2008-2317
Available for:  iPhone v1.0 through v1.1.4, iPod touch v1.1 through v1.1.4
Impact:  Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description:  A memory corruption issue exists in WebCore's handling of style sheet elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved garbage collection. Credit to Peter Vreudegnhil working with the TippingPoint Zero Day Initiative for reporting this issue.

Safari
CVE-ID:  CVE-2007-6284
Available for:  iPhone v1.0 through v1.1.4, iPod touch v1.1 through v1.1.4
Impact:  Processing an XML document may lead to a denial of service
Description:  A memory consumption issue exists in the handling of XML documents containing invalid UTF-8 sequences, which may lead to a denial of service. This update addresses the issue by updating the
libxml2 system library to version 2.6.16.

Safari
CVE-ID:  CVE-2008-1767
Available for:  iPhone v1.0 through v1.1.4, iPod touch v1.1 through v1.1.4
Impact:  Processing an XML document may lead to an unexpected application termination or arbitrary code execution
Description:  A memory corruption issue exists in the libxslt library. Viewing a maliciously crafted HTML page may lead to an unexpected application termination or arbitrary code execution.
Further information on the patch applied is available via the xmlsoft.org website http://xmlsoft.org/XSLT/ Credit to Anthony de Almeida Lopes of Outpost24 AB, and Chris Evans of Google Security Team for reporting this issue.

WebKit
CVE-ID:  CVE-2008-1590
Available for:  iPhone v1.0 through v1.1.4, iPod touch v1.1 through v1.1.4
Impact:  Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description:  A memory corruption issue exists in JavaScriptCore's handling of runtime garbage collection. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved garbage collection. Credit to Itzik Kotler and Jonathan Rom of Radware for reporting this issue.

WebKit
CVE-ID:  CVE-2008-1025
Available for:  iPhone v1.0 through v1.1.4, iPod touch v1.1 through v1.1.4
Impact:  Accessing a maliciously crafted URL may result in cross-site scripting
Description:  An issue exists in WebKit's handling of URLs containing a colon character in the host name. Accessing a maliciously crafted URL may lead to a cross-site scripting attack. This update addresses the issue through improved handling of URLs. Credit to Robert Swiecki of the Google Security Team, and David Bloom for reporting this issue.

WebKit
CVE-ID:  CVE-2008-1026
Available for:  iPhone v1.0 through v1.1.4, iPod touch v1.1 through v1.1.4
Impact:  Viewing a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution
Description:  A heap buffer overflow exists in WebKit's handling of JavaScript regular expressions. The issue may be triggered via JavaScript when processing regular expressions with large, nested repetition counts. This may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript regular expressions. Credit to Charlie Miller of Independent Security Evaluators for reporting this issue.

Installation note:

This update is only available through iTunes, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an internet connection and have installed the latest version of iTunes from www.apple.com/itunes/

iTunes will automatically check Apple's update server on its weekly schedule.  When an update is detected, it will download it.  When the iPhone or iPod touch is docked, iTunes will present the user with the option to install the update.  We recommend applying the update immediately if possible.  Selecting "don't install" will present the option the next time you connect your iPhone or iPod touch.

The automatic update process may take up to a week depending on the day that iTunes checks for updates. You may manually obtain the update via the "Check for Update" button within iTunes. After doing this, the update can be applied when your iPhone or iPod touch is docked to your computer.

To check that the iPhone or iPod touch has been updated:

* Navigate to Settings
* Select General
* Select About.  The version after applying this update will be "2.0 (5A345)" or later

Information will also be posted to the Apple Security Updates web site:  http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key, and details are available at:
http://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.3 (Build 2932)

iQEVAwUBSHeR43kodeiKZIkBAQhfJwgAuYkrStQHS1TdKGau/y8Ap1f/mULUtwf/
fkKoVjtNk89k1gW8P/eWZsextVgotw8Jf2DvHHh5pjCAxOqCbX7+q0GHB8f7XJ7m
KiPm3RlnjYggWVJJFQgAaifOhURQgKL1scFFVFimhbobyYYWMmvA3E/Ej+fgay5d
6JKTAsTNFTfTypKeTAPKGLTGuRhPIeEPg+lCMQDA3bLNYvke660bzpv4oISwldx6
gFpCoHd/NmFfXPFIQLICaeuCMhExo0sPFvq/6r5o0sDTsvS/Lm4Uf9zFMhKDOL5x
uDiUOjVHQpzxdtfaJuwIHyoPLRXwKqJlb14okyj0JJHtqQe82mIPDw==
=/Ju0
-----END PGP SIGNATURE-----

This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.

The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.

CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.