site_archiver@lists.apple.com Delivered-To: security-announce@lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2008-11-20 iPhone OS 2.2 and iPhone OS for iPod touch 2.2 iPhone OS 2.2 and iPhone OS for iPod touch 2.2 is now available and addresses the following issues: CoreGraphics CVE-ID: CVE-2008-2321 Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod touch 1.1 through 2.1 Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: CoreGraphics contains memory corruption issues in the processing of arguments. Passing untrusted input to CoreGraphics via an application, such as a web browser, may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Michal Zalewski of Google for reporting this issue. ImageIO CVE-ID: CVE-2008-2327 Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod touch 1.1 through 2.1 Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: Multiple uninitialized memory access issues exist in libTIFF's handling of LZW-encoded TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through proper memory initialization and additional validation of TIFF images. ImageIO CVE-ID: CVE-2008-1586 Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod touch 1.1 through 2.1 Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected device reset Description: A memory exhaustion issue exists in the handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected device reset. This update addresses the issue by limiting the amount of memory allocated to open a TIFF image. Credit to Sergio 'shadown' Alvarez of n.runs AG for reporting this issue. Networking CVE-ID: CVE-2008-4227 Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod touch 1.1 through 2.1 Impact: The encryption level for PPTP VPN connections may be lower than expected Description: The encryption level for PPTP VPN connections may revert to a previous lower setting. This update addresses the issue by properly setting the encryption preferences. Credit to Stephen Butler of the University of Illinois of Urbana-Champaign for reporting this issue. Office Viewer CVE-ID: CVE-2008-4211 Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod touch 1.1 through 2.1 Impact: Viewing a maliciously crafted Microsoft Excel file may lead to an unexpected application termination or arbitrary code execution Description: A signedness issue in Office Viewer's handling of columns in Microsoft Excel files may result in an out-of-bounds memory access. Viewing a maliciously crafted Microsoft Excel file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by ensuring that the affected index values are not negative. Credit: Apple. Passcode Lock CVE-ID: CVE-2008-4228 Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod touch 1.1 through 2.1 Impact: Emergency calls are not restricted to emergency numbers Description: iPhone provides the ability to make an emergency call when locked. Currently, an emergency call may be placed to any number. A person with physical access to an iPhone may take advantage of this feature to place arbitrary calls which are charged to the iPhone owner. This update addresses the issue by restricting emergency calls to a limited set of phone numbers. Passcode Lock CVE-ID: CVE-2008-4229 Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod touch 1.1 through 2.1 Impact: Restoring a device from backup may not re-enable the Passcode Lock Description: The Passcode Lock feature is designed to prevent applications from being launched unless the correct passcode is entered. A race condition in the handling of device settings may cause the Passcode Lock to be removed when the device is restored from backup. This may allow a person with physical access to the device to launch applications without the passcode. This update addresses the issue by improving the system's ability to recognize missing preferences. This issue does not affect systems prior to iPhone OS 2.0 or iPhone OS for iPod touch 2.0. Credit to Nolen Scaife for reporting this issue. Passcode Lock CVE-ID: CVE-2008-4230 Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod touch 1.1 through 2.1 Impact: Short Message Service (SMS) messages may be revealed before the passcode is entered Description: If an SMS message arrives while the emergency call screen is visible, the entire SMS message is displayed, even if the "Show SMS Preview" preference was set to "OFF". This update addresses the issue by, in this situation, displaying only a notification that a SMS message has arrived, and not its content. Safari CVE-ID: CVE-2008-4231 Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod touch 1.1 through 2.1 Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in the handling of HTML table elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of HTML table elements. Credit to Haifei Li of Fortinet's FortiGuard Global Security Research Team for reporting this issue. Safari CVE-ID: CVE-2008-4232 Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod touch 1.1 through 2.1 Impact: Websites with embedded iframe elements may be vulnerable to user interface spoofing Description: Safari allows an iframe element to display content outside its boundaries, which may lead to user interface spoofing. This update addresses the issue by not allowing iframe elements to display content outside their boundaries. This issue does not affect systems prior to iPhone OS 2.0 or iPhone OS for iPod touch 2.0. Credit to John Resig of Mozilla Corporation for reporting this issue. Safari CVE-ID: CVE-2008-4233 Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod touch 1.1 through 2.1 Impact: Visiting a maliciously crafted website may initiate a phone call without user interaction Description: If an application is launched via Safari while a call approval dialog is shown, the call will be placed. This may allow a maliciously crafted website to initiate a phone call without user interaction. Additionally, under certain circumstances it may be possible for a maliciously crafted website to block the user's ability to cancel dialing for a short period of time. This update addresses the issue by properly dismissing Safari's call approval dialog when an application is being launched via Safari. Credit to Collin Mulliner of Fraunhofer SIT for reporting this issue. Webkit CVE-ID: CVE-2008-3644 Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod touch 1.1 through 2.1 Impact: Sensitive information may be disclosed to a person with physical access to an unlocked device Description: Disabling autocomplete on a form field may not prevent the data in the field from being stored in the browser page cache. This may lead to the disclosure of sensitive information to a person with physical access to an unlocked device. This update addresses the issue by properly clearing the form data. Credit to an anonymous researcher for reporting this issue. Installation note: This update is only available through iTunes, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes will automatically check Apple's update server on its weekly schedule. When an update is detected, it will download it. When the iPhone or iPod touch is docked, iTunes will present the user with the option to install the update. We recommend applying the update immediately if possible. Selecting "don't install" will present the option the next time you connect your iPhone or iPod touch. The automatic update process may take up to a week depending on the day that iTunes checks for updates. You may manually obtain the update via the "Check for Update" button within iTunes. After doing this, the update can be applied when your iPhone or iPod touch is docked to your computer. To check that the iPhone or iPod touch has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "2.2 (5G77)" or later Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJJJheAAAoJEHkodeiKZIkBGUAH/REuNCXKJY9ft/GyAAQuhdJW 3z8MYEeaWnIGiJJ7YJmbahb5R/HcPEohVQqnmR0U91xlInF/ujS0Sg9ilEroRdRx OWgGjRLjEKD0h5dKHkn6JTVGeGFyLvUuStkAtzaUKgLWQXlIGRb0s6Z4zCHIbLUo lBYCzJ7BTM+NSyo5N+XVm5D+zJZ8Q1Oq1J6WSOSdeuoflWU6Oj75uXOrSA0HsNuQ 8xyoiUsCTbRUFigjuRhts+Oyh3AN1zabh4ms9eQCkRLiSCUNV7L3Yq9xk18GHGZ5 qQFP+VBztxnT7RAf0Yr8ubEBk9OzOyFpJSg3Tr2EGjP/+BCh+4O3f9Dx5CFuk8g= =UWvT -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40lis... This email sent to site_archiver@lists.apple.com