|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
APPLE-SA-2007-09-27 iPhone v1.1.1 Update
iPhone v1.1.1 Update is now available and addresses the following issues:
Bluetooth CVE-ID: CVE-2007-3753 Impact: An attacker within Bluetooth range may be able to cause an unexpected application termination or arbitrary code execution Description: An input validation issue exists in the iPhone's Bluetooth server. By sending maliciously-crafted Service Discovery Protocol (SDP) packets to an iPhone with Bluetooth enabled, an attacker may trigger the issue, which may lead to unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of SDP packets. Credit to Kevin Mahaffey and John Hering of Flexilis Mobile Security for reporting this issue.
Mail CVE-ID: CVE-2007-3754 Impact: Checking email over untrusted networks may lead to information disclosure via a man-in-the-middle attack Description: When Mail is configured to use SSL for incoming and outgoing connections, it does not warn the user when the identity of the mail server has changed or cannot be trusted. An attacker capable of intercepting the connection may be able to impersonate the user's mail server and obtain the user's email credentials or other sensitive information. This update addresses the issue by properly warning when the identity of the remote mail server has changed.
Mail CVE-ID: CVE-2007-3755 Impact: Following a telephone ("tel:") link in Mail will dial a phone number without confirmation Description: Mail supports telephone ("tel:") links to dial phone numbers. By enticing a user to follow a telephone link in a mail message, an attacker can cause iPhone to place a call without user confirmation. This update addresses the issue by providing a confirmation window before dialing a phone number via a telephone link in Mail. Credit to Andi Baritchi of McAfee for reporting this issue.
Safari CVE-ID: CVE-2007-3756 Impact: Visiting a malicious website may lead to the disclosure of URL contents Description: A design issue in Safari allows a web page to read the URL that is currently being viewed in its parent window. By enticing a user to visit a maliciously crafted web page, an attacker may be able to obtain the URL of an unrelated page. This update addresses the issue through an improved cross-domain security check. Credit to Michal Zalewski of Google Inc. and Secunia Research for reporting this issue.
Safari CVE-ID: CVE-2007-3757 Impact: Visiting a malicious website may lead to unintended dialing or dialing a different number than expected Description: Safari supports telephone ("tel:") links to dial phone numbers. When a telephone link is selected, Safari will confirm that the number should be dialed. A maliciously crafted telephone link may cause a different number to be displayed during confirmation than the one actually dialed. Exiting Safari during the confirmation process may result in unintentional confirmation. This update addresses the issue by properly displaying the number that will be dialed, and requiring confirmation for telephone links. Credit to Billy Hoffman and Bryan Sullivan of HP Security Labs (Formerly SPI Labs) and Eduardo Tang for reporting this issue.
This update is only available through iTunes, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an internet connection and have installed the latest version of iTunes from http://www.apple.com/itunes/
iTunes will automatically check Apple's update server on its weekly schedule. When an update is detected, it will download it. When the iPhone is docked, iTunes will present the user with the option to install the update. We recommend applying the update immediately if possible. Selecting "Don't install" will present the option the next time you connect your iPhone.
The automatic update process may take up to a week depending on the day that iTunes checks for updates. You may manually obtain the update via the "Check for Update" button within iTunes. After doing this, the update can be applied when your iPhone is docked to your computer.
To check that the iPhone has been updated: * Navigate to Settings * Click General * Click About The Version after applying this update will be "1.1.1 (3A109a)"
Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798
This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.6 (Build 6060)
iQEVAwUBRvr2OMgAoqu4Rp5tAQhOzAf/TODRcrMsdx6ExKpMI9OQlqKSCloiraoI 7fbBfr4tsNls0rMxEyUmEPpCPRKNVwu2ie9Q4FAvgb3QGfqMKnT1cw2QxAUFq1rG T7eZTGZXoDO2U2CF28sP9jZt08vPnc1yoVgNfozMrNzMn2TXa7ZUJ9LW7MYp26cO jRk6yNQlba8dh5CjQv8MII9qa7g+V1buvvvn/yyl7Te1VeT5aqV3/LZWHd1TezB5 u9R0MPw5ALYe6nJMtlH9UXtypemmDRyEu52yguHwgCNoMz3yAoMhtH87MhQkBfTM Aa3MA0owrF/q4D6XR6P4135apG8NFogQWLD2Det361RX6/7rg3dW2A== =4Kd5 -----END PGP SIGNATURE-----
_______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (email@hidden) Help/Unsubscribe/Update your Subscription: This email sent to email@hidden
Visit the Apple Store online or at retail locations.
Copyright © 2011 Apple Inc. All rights reserved.