Apple iOS Multiple Vulnerabilities

SA50586

CVE-2011-1167, CVE-2011-1944, CVE-2011-2821, CVE-2011-2834, CVE-2011-2845, CVE-2011-3016, CVE-2011-3021, CVE-2011-3026, CVE-2011-3027, CVE-2011-3032, CVE-2011-3034, CVE-2011-3035, CVE-2011-3036, CVE-2011-3037, CVE-2011-3038, CVE-2011-3039, CVE-2011-3040, CVE-2011-3041, CVE-2011-3042, CVE-2011-3043, CVE-2011-3044, CVE-2011-3048, CVE-2011-3050, CVE-2011-3053, CVE-2011-3059, CVE-2011-3060, CVE-2011-3064, CVE-2011-3067, CVE-2011-3068, CVE-2011-3069, CVE-2011-3071, CVE-2011-3073, CVE-2011-3074, CVE-2011-3075, CVE-2011-3076, CVE-2011-3078, CVE-2011-3081, CVE-2011-3086, CVE-2011-3089, CVE-2011-3090, CVE-2011-3105, CVE-2011-3328, CVE-2011-3457, CVE-2011-3913, CVE-2011-3919, CVE-2011-3924, CVE-2011-3926, CVE-2011-3958, CVE-2011-3966, CVE-2011-3968, CVE-2011-3969, CVE-2011-3971, CVE-2011-4599, CVE-2012-0680, CVE-2012-0682, CVE-2012-0683, CVE-2012-1126, CVE-2012-1127, CVE-2012-1128, CVE-2012-1129, CVE-2012-1130, CVE-2012-1131, CVE-2012-1132, CVE-2012-1133, CVE-2012-1134, CVE-2012-1135, CVE-2012-1136, CVE-2012-1137, CVE-2012-1138, CVE-2012-1139, CVE-2012-1140, CVE-2012-1141, CVE-2012-1142, CVE-2012-1143, CVE-2012-1144, CVE-2012-1173, CVE-2012-1520, CVE-2012-1521, CVE-2012-2815, CVE-2012-2818, CVE-2012-3589, CVE-2012-3590, CVE-2012-3591, CVE-2012-3592, CVE-2012-3593, CVE-2012-3594, CVE-2012-3595, CVE-2012-3596, CVE-2012-3597, CVE-2012-3598, CVE-2012-3599, CVE-2012-3600, CVE-2012-3601, CVE-2012-3602, CVE-2012-3603, CVE-2012-3604, CVE-2012-3605, CVE-2012-3608, CVE-2012-3609, CVE-2012-3610, CVE-2012-3611, CVE-2012-3612, CVE-2012-3613, CVE-2012-3614, CVE-2012-3615, CVE-2012-3617, CVE-2012-3618, CVE-2012-3620, CVE-2012-3624, CVE-2012-3625, CVE-2012-3626, CVE-2012-3627, CVE-2012-3628, CVE-2012-3629, CVE-2012-3630, CVE-2012-3631, CVE-2012-3633, CVE-2012-3634, CVE-2012-3635, CVE-2012-3636, CVE-2012-3637, CVE-2012-3638, CVE-2012-3639, CVE-2012-3640, CVE-2012-3641, CVE-2012-3642, CVE-2012-3644, CVE-2012-3645, CVE-2012-3646, CVE-2012-3647, CVE-2012-3648, CVE-2012-3650, CVE-2012-3651, CVE-2012-3652, CVE-2012-3653, CVE-2012-3655, CVE-2012-3656, CVE-2012-3658, CVE-2012-3659, CVE-2012-3660, CVE-2012-3661, CVE-2012-3663, CVE-2012-3664, CVE-2012-3665, CVE-2012-3666, CVE-2012-3667, CVE-2012-3668, CVE-2012-3669, CVE-2012-3670, CVE-2012-3671, CVE-2012-3672, CVE-2012-3673, CVE-2012-3674, CVE-2012-3676, CVE-2012-3677, CVE-2012-3678, CVE-2012-3679, CVE-2012-3680, CVE-2012-3681, CVE-2012-3682, CVE-2012-3683, CVE-2012-3684, CVE-2012-3686, CVE-2012-3691, CVE-2012-3693, CVE-2012-3695, CVE-2012-3696, CVE-2012-3703, CVE-2012-3704, CVE-2012-3706, CVE-2012-3708, CVE-2012-3710, CVE-2012-3722, CVE-2012-3724, CVE-2012-3725, CVE-2012-3726, CVE-2012-3727, CVE-2012-3728, CVE-2012-3729, CVE-2012-3730, CVE-2012-3731, CVE-2012-3732, CVE-2012-3733, CVE-2012-3734, CVE-2012-3735, CVE-2012-3736, CVE-2012-3737, CVE-2012-3738, CVE-2012-3739, CVE-2012-3740, CVE-2012-3741, CVE-2012-3742, CVE-2012-3743, CVE-2012-3744, CVE-2012-3745, CVE-2012-3746, CVE-2012-3747

20 Sep 2012

Highly Critical

Unpatched

From remote

System access

This covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user.

Cross-Site Scripting

Cross-Site Scripting vulnerabilities allow a third party to manipulate the content or behaviour of a web application in a user's browser, without compromising the underlying system.

Different Cross-Site Scripting related vulnerabilities are also classified under this category, including "script insertion" and "cross-site request forgery".

Cross-Site Scripting vulnerabilities are often used against specific users of a website to steal their credentials or to conduct spoofing attacks.

Exposure of sensitive information

Vulnerabilities where documents or credentials are leaked or can be revealed either locally or from remote.

Exposure of system information

Vulnerabilities where excessive information about the system (e.g. version numbers, running services, installation paths, and similar) are exposed and can be revealed from remote and in some cases locally.

Privilege escalation

This covers vulnerabilities where a user is able to conduct certain tasks with the privileges of other users or administrative users.

This typically includes cases where a local user on a client or server system can gain access to the administrator or root account thus taking full control of the system.

Security Bypass

This covers vulnerabilities or security issues where malicious users or people can bypass certain security mechanisms of the application.

The actual impact varies significantly depending on the design and purpose of the affected application.

Spoofing

This covers various vulnerabilities where it is possible for malicious users or people to impersonate other users or systems.

Multiple vulnerabilities have been reported in Apple iOS, which can be exploited by malicious, local users to disclose system information and gain escalated privileges, by malicious people to disclose potentially sensitive information, conducts spoofing attacks, and compromise a user's device, and by malicious people with physical access to disclose potentially sensitive information and bypass certain security restrictions.

1) An error in CFNetwork when handling certain URLs can be exploited to submit data to an incorrect hostname.

2) Some vulnerabilities exist in the bundled version of FreeType.

For more information:
SA48268

3) An error in CoreMedia when processing Sorenson encoded movies can be exploited to dereference uninitialized memory.

4) An error in DHCP when connection to WiFi networks may disclose a MAC address of previously accessed networks via DNAv4 protocol.

5) ImageIO bundles a vulnerable version of LibTIFF library.

For more information:
SA43593
SA48684

6) ImageIO bundles a vulnerable version of libpng library.

For more information:
SA46148
SA48026
SA48587

7) An double-free error exists in ImageIO when processing JPEG images.

8) An error in International Components for Unicode when handling locale IDs can be exploited to cause a stack-based buffer overflow.

9) A boundary error in IPSec when loading racoon configuration files can be exploited to cause a buffer overflow.

10) An error in the kernel when handling packet filter IOCTLs can be exploited to dereference an invalid pointer.

11) An error in the kernel when related to BPF interpreter can be exploited to disclose certain memory content.

12) Some vulnerabilities exist in the bundled version of libxml library.

For more information:
SA44711
SA46632

13) An error in Mail when handling attachments can be exploited to disclose a unintended attachments via the "Content-ID" field.

14) An error in Mail within Data Protection on attachments can be exploited to access an attachment without a passcode.

15) An error in Mail when processing S/MIME signed messages does not display the correct identity of a signer and can be exploited to spoof an identity via the "From" field.

16) An error in Messages when multiple email addresses are used may result in replies being sent using the wrong address.

17) An error in Office Viewer when processing document files may result in data being stored in temporary files in a decrypted state even when data protection / encryption is enabled.

18) An error in OpenGL when performing GLSL compilation can be exploited to corrupt memory.

19) An error in Passcode Lock related to "Slide to Power Off" slider may disclose the last used third party application.

20) An error in Passcode Lock related to termination of FaceTime calls may allow bypassing the screen lock.

21) An error in Passcode Lock related to lock screen photos may disclose all photos accessible at the lock screen.

22) An error in Passcode Lock related to Emergency Dialer screen may allow making FaceTime calls and disclose user's contacts.

23) An error in Passcode Lock related to the camera usage may allow bypassing the screen lock.

24) An error in Passcode Lock related lock state management may allow bypassing the screen lock.

25) An error in Restrictions during purchase transactions may result in transaction being made without the Appled ID credentials.

26) An error in Safari when handling certain Unicode characters may allow spoofing the lock icon in the page title.

27) An error in Safari when handling password input elements with a disabled "autocomplete" attribute allowed the input to be autocompleted.

28) An error in System Logs due to weak restrictions on the "/var/log" directory can be exploited by sandboxed applications to disclose log details.

29) An error in Telephony did not properly display the return address of SMS messages.

30) An off-by-one error in Telephony when handling SMS data headers can be exploited to disable cellular activity.

31) An error in UIKit within UIWebView may result in unencrypted files being stored even when a passcode is enabled.

32) Multiple vulnerabilities exist in WebKit.

For more information:
SA46594
SA47231
SA47694
SA47938
SA48016
SA48265
SA48274
SA48512
SA48618
SA48732
SA48992
SA49194
SA49277
SA49724
SA49906
SA50058

Upgrade to iOS 6 via Software Update.

8, 28) Reported by the vendor.

The vendor also credits:
1) Erling Ellingsen, Facebook
3) Will Dormann, CERT/CC
4) Mark Wuergler, Immunity, Inc.
7) Phil, PKJE Consulting
9, 10) iOS Jailbreak Dream Team
11) Dan Rosenberg
13) Angelo Prado, salesforce.com Product Security Team
14) Stephen Prairie, Travelers Insurance, Erich Stuntebeck of AirWatch
15) Anonymous person
16) Rodney S. Foley, Gnomesoft, LLC
17) Salvatore Cataudella, Open Systems Technologies
19) Chris Lawrence, DBB
20, 24) Ian Vitek, 2Secure AB
21, 22) Ade Barkah, BlueWax Inc.
23) Sebastian Spanninger, Austrian Federal Computing Centre (BRZ)
25) Kevin Makens, Redwood High School
26) Boku Kihara, Lepidum
27) Dan Poltawski, Moodle
29, 30) pod2g
31) Ben Smith, Box

Apple:
http://support.apple.com/kb/HT5503