Home / mailings APPLE-SA-2009-06-17-1 iPhone OS 3.0 Software Update
Posted on 17 June 2009
Apple Security-announce-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2009-06-17-1 iPhone OS 3.0 Software Update
iPhone OS 3.0 Software Update is now available and addresses the
following:
CoreGraphics
CVE-ID: CVE-2008-3623
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Viewing a maliciously crafted image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of color
spaces within CoreGraphics. Viewing a maliciously crafted image may
lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue through improved bounds
checking. Credit: Apple.
CoreGraphics
CVE-ID: CVE-2009-0145
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues exist in
CoreGraphics' handling of PDF files. Opening a maliciously crafted
PDF file may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issues through
improved bounds and error checking.
CoreGraphics
CVE-ID: CVE-2009-0146, CVE-2009-0147, CVE-2009-0165
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Viewing or downloading a PDF file containing a maliciously
crafted JBIG2 stream may lead to an unexpected application
termination or arbitrary code execution
Description: Multiple heap buffer overflows exist in CoreGraphics'
handling of PDF files containing JBIG2 streams. Viewing or
downloading a PDF file containing a maliciously crafted JBIG2 stream
may lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue through improved bounds
checking. Credit to Apple, Alin Rad Pop of Secunia Research, and Will
Dormann of CERT/CC for reporting this issue.
CoreGraphics
CVE-ID: CVE-2009-0155
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer underflow in CoreGraphics' handling of PDF
files may result in a heap buffer overflow. Opening a maliciously
crafted PDF file may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issue through
improved bounds checking. Credit to Barry K. Nathan for reporting
this issue.
CoreGraphics
CVE-ID: CVE-2009-1179
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow in CoreGraphics' handling of PDF
files may result in a heap buffer overflow. Opening a PDF file
containing a maliciously crafted JBIG2 stream may lead to an
unexpected application termination or arbitrary code execution. This
update addresses the issue through improved bounds checking. Credit
to Will Dormann of CERT/CC for reporting this issue.
CoreGraphics
CVE-ID: CVE-2009-0946
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Multiple vulnerabilities in FreeType v2.3.8
Description: Multiple integer overflows exist in FreeType v2.3.8,
which may lead to an unexpected application termination or arbitrary
code execution. This update addresses the issues through improved
bounds checking. Credit to Tavis Ormandy of the Google Security Team
for reporting these issues.
Exchange
CVE-ID: CVE-2009-0958
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Connecting to a malicious Exchange server may lead to the
disclosure of sensitive information
Description: Accepting an untrusted Exchange server certificate
results in storing an exception on a per-hostname basis. On the next
visit to an Exchange server contained in the exception list, its
certificate is accepted with no prompt and validation. This may lead
to the disclosure of credentials or application data. This update
addresses the issue through improved handling of untrusted
certificate exceptions. Credit to FD of Securus Global for reporting
this issue.
ImageIO
CVE-ID: CVE-2009-0040
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Processing a maliciously crafted PNG image may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized pointer issue exists in the handling
of PNG images. Processing a maliciously crafted PNG image may lead to
an unexpected application termination or arbitrary code execution.
This update addresses the issue through additional validation of PNG
images. Credit to Tavis Ormandy of Google Security Team for reporting
this issue.
International Components for Unicode
CVE-ID: CVE-2009-0153
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Maliciously crafted content may bypass website filters and
result in cross-site scripting
Description: An implementation issue exists in ICU's handling of
certain character encodings. Using ICU to convert invalid byte
sequences to Unicode may result in over-consumption, where trailing
bytes are considered part of the original character. This may be
leveraged by an attacker to bypass filters on websites that attempt
to mitigate cross-site scripting. This update addresses the issue
through improved handling of invalid byte sequences. Credit to Chris
Weber of Casaba Security for reporting this issue.
IPSec
CVE-ID: CVE-2008-3651, CVE-2008-3652
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Multiple vulnerabilities in the racoon daemon may lead to a
denial of service
Description: Multiple memory leaks exist in the racoon daemon in
ipsec-tools before 0.7.1, which may lead to a denial of service. This
update addresses the issues through improved memory management.
libxml
CVE-ID: CVE-2008-3281, CVE-2008-3529, CVE-2008-4409, CVE-2008-4225,
CVE-2008-4226
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Multiple vulnerabilities in libxml2 version 2.6.16
Description: Multiple vulnerabilities in libxml2 version 2.6.16, the
most serious of which may lead to an unexpected application
termination or arbitrary code execution. This update addresses the
issue by updating the libxml2 system library to version 2.7.3.
CVE-ID: CVE-2009-0960
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Users do not have control over the loading of remote images
in HTML messages
Description: Mail does not provide a preference to turn off the
automatic loading of remote images. Opening an HTML email containing
a remote image will automatically request it. The server hosting a
remote image can determine that the email was read, and the network
address of the device. This update addresses the issue by adding a
preference to turn off the automatic loading of remote images. Credit
to Ronald C.F. Antony of Cubiculum Systems, Stefan Seiz of ERNI
Electronics GmbH, Oskar Lissheim-Boethius of iPhone development house
OLB Productions, Meyer Consulting, Oliver Quas, Christian Schmitz of
MonkeybreadSoftware, Thomas Adams of TynTec, Aviv Raff of
aviv.raffon.net, and Collin Mulliner of Fraunhofer SIT for reporting
this issue.
CVE-ID: CVE-2009-0961
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: An application that causes an alert to apear may initiate a
phone call without user interaction
Description: If an application causes an alert to apear while Mail's
call approval dialog is shown, the call will be placed without user
interaction. This update addresses the issue by not dismissing the
call approval dialog when other alerts appear. Credit to Collin
Mulliner of Fraunhofer SIT for reporting this issue.
MPEG-4 Video Codec
CVE-ID: CVE-2009-0959
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Viewing a maliciously crafted MPEG-4 video file may lead to
an unexpected device reset
Description: An input validation issue exists in the handling of
MPEG-4 video files. Viewing a maliciously crafted MPEG-4 video file
may lead to an unexpected device reset. This update addresses the
issue through improved handling of MPEG-4 video files. Credit to Si
Brindley for reporting this issue.
Profiles
CVE-ID: CVE-2009-1679
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Installing a configuration profile may weaken the passcode
policy defined by Exchange ActiveSync
Description: An issue in the handling of configuration profiles may
allow a weaker passcode policy to overwrite the passcode policy
already set via Exchange ActiveSync. This may allow a person with
physical access to the device to bypass the passcode policy set via
Exchange ActiveSync. This update addresses the issue through improved
handling of configuration profiles.
Safari
CVE-ID: CVE-2009-1680
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Clearing Safari's history via the Settings application does
not prevent disclosure of the search history to a person with
physical access to the device
Description: Clearing Safari's history via the Settings application
does not reset the search history. In this case, another person with
physical access to the device may be able to view the search history.
This update addresses the issue by removing the search history when
Safari's history is cleared via the Settings application. Credit to
Joshua Belsky for reporting this issue.
Safari
CVE-ID: CVE-2009-1681
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Interacting with a maliciously crafted website may result in
unexpected actions on other sites
Description: A design issue exists in the same-origin policy
mechanism used to limit interactions between websites. This policy
allows websites to load pages from third-party websites into a
subframe. This frame may be positioned to entice the user to click a
particular element within the frame, an attack referred to as
"clickjacking". A maliciously crafted website may be able to
manipulate a user into taking an unexpected action, such as
initiating a purchase. This update addresses the issue through
adoption of the industry-standard 'X-Frame-Options' extension header,
that allows individual web pages to opt out of being displayed within
a subframe.
Telephony
CVE-ID: CVE-2009-1683
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: A remote attacker may cause an unexpected device reset
Description: A logic issue in the handling of ICMP echo request
packets may cause an assertion to be triggered. By sending a
maliciously crafted ICMP echo request packet, a remote attacker may
be able to cause an unexpected device reset. This update addresses
the issue by removing the assertion. Credit to Masaki Yoshida for
reporting this issue.
WebKit
CVE-ID: CVE-2008-2320
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's handling
of invalid color strings in Cascading Style Sheets. Visiting a
maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution. This update addresses the
issue through improved sanitization of color strings. Credit to
Thomas Raffetseder of the International Secure Systems Lab for
reporting this issue.
WebKit
CVE-ID: CVE-2009-0945
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: A memory corruption issue exists in WebKit's handling
of SVGList objects. Visiting a maliciously crafted website may lead
to arbitrary code execution. This update addresses the issue through
improved bounds checking. Credit to Nils working with TippingPoint's
Zero Day Initiative for reporting this issue.
WebKit
CVE-ID: CVE-2009-1684
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Visiting a maliciously crafted website may result in cross-
site scripting
Description: A cross-site scripting issue exists in the separation
of JavaScript contexts. A maliciously crafted web page may use an
event handler to execute a script in the security context of the next
web page that is loaded in its window or frame. This update addresses
the issue by ensuring that event handlers are not able to directly
affect an in-progress page transition. Credit to Michal Zalewski of
Google Inc. for reporting this issue.
WebKit
CVE-ID: CVE-2009-1685
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Visiting a maliciously crafted website may result in cross-
site scripting
Description: A cross-site scripting issue exists in the separation
of JavaScript contexts. By enticing a user to visit a maliciously
crafted web page, the attacker may overwrite the
'document.implementation' of an embedded or parent document served
from a different security zone. This update addresses the issue by
ensuring that changes to 'document.implementation' do not affect
other documents. Credit to Dean McNamee of Google Inc. for reporting
this issue.
WebKit
CVE-ID: CVE-2009-1686
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: A type conversion issue exists in WebKit's JavaScript
exception handling. When an attempt is made to assign the exception
to a variable that is declared as a constant, an object is cast to an
invalid type, causing memory corruption. Visiting a maliciously
crafted website may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issue by ensuring
that assignment in a const declaration writes to the variable object.
Credit to Jesse Ruderman of Mozilla Corporation for reporting this
issue.
WebKit
CVE-ID: CVE-2009-1687
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's JavaScript
garbage collector implementation. If an allocation fails, a memory
write to an offset of a NULL pointer may result, leading to an
unexpected application termination or arbitrary code execution. This
update addresses the issue by checking for allocation failure. Credit
to SkyLined of Google Inc. for reporting this issue.
WebKit
CVE-ID: CVE-2009-1688, CVE-2009-1689
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Visiting a maliciously crafted website may result in a
cross-site scripting attack
Description: Multiple issues in WebKit's handling of javascript
objects may lead to a cross-site scripting attack. This update
addresses the issues through improved handling of cross-site
interaction with javascript objects. Credit to Adam Barth of UC
Berkeley, and Collin Jackson of Stanford University for reporting
these issues.
WebKit
CVE-ID: CVE-2009-1690
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Visiting a maliciously crafted website may result in an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's handling
of recursion in certain DOM event handlers. Visiting a maliciously
crafted website may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issue through
improved memory management. Credit to SkyLined of Google Inc. for
reporting this issue.
WebKit
CVE-ID: CVE-2009-1691
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Visiting a maliciously crafted website may lead to cross-
site scripting
Description: A cross-site scripting issue in Safari allows a
maliciously crafted website to alter standard JavaScript prototypes
of websites served from a different domain. By enticing a user to
visit a maliciously crafted web page, an attacker may be able to
alter the execution of JavaScript served from other websites. This
update addresses the issue through improved access controls on these
prototypes.
WebKit
CVE-ID: CVE-2009-1692
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Visiting a maliciously crafted website may lead to an
unexpected device reset
Description: A memory consumption issue exists in the handling of
HTMLSelectElement objects. Visiting a maliciously crafted webpage
containing an HTMLSelectElement with a very large length attribute
may lead to an unexpected device reset. This update addresses the
issue through improved handling of HTMLSelectElement objects. Credit
to Thierry Zoller of G-SEC (www.g-sec.lu) for reporting this issue.
WebKit
CVE-ID: CVE-2009-1693
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Visiting a maliciously crafted website may disclose images
from other sites
Description: A cross-site image capture issue exists in WebKit. By
using a canvas with an SVG image, a maliciously crafted website may
load and capture an image from another website. This update addresses
the issue by restricting the reading of canvases that have images
loaded from other websites. Credit to Chris Evans of Google Inc. for
reporting this issue.
WebKit
CVE-ID: CVE-2009-1694
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Visiting a maliciously crafted website may disclose images
from other sites
Description: A cross-site image capture issue exists in WebKit. By
using a canvas and a redirect, a maliciously crafted website may load
and capture an image from another website. This update addresses the
issue through improving the handling of redirects. Credit to Chris
Evans of for reporting this issue.
WebKit
CVE-ID: CVE-2009-1695
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Visiting a maliciously crafted website may result in a
cross-site scripting attack
Description: An issue in WebKit allows the contents of a frame to be
accessed by an HTML document after a page transition has taken place.
This may allow a maliciously crafted website to perform a cross-site
scripting attack. This update addresses the issue through an improved
domain check. Credit to Feng Qian of Google Inc. for reporting this
issue.
WebKit
CVE-ID: CVE-2009-1696
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Websites may surreptitiously track users
Description: Safari generates random numbers for JavaScript
applications using a predictable algorithm. This could allow a
website to track a particular Safari session without using cookies,
hidden form elements, IP addresses, or other techniques. This update
addresses the issue by using a better random number generator. Credit
to Amit Klein of Trusteer for reporting this issue.
WebKit
CVE-ID: CVE-2009-1697
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Visiting a maliciously crafted website may result in a
cross-site scripting attack
Description: A CRLF injection issue exists in the handling of
XMLHttpRequest headers in WebKit. This may allow a malicious website
to bypass the same-origin policy by issuing an XMLHttpRequest that
does not contain a Host header. XMLHttpRequests without a Host header
may reach other websites on the same server, and allow attacker-
supplied JavaScript to interact with those sites. This update
addresses the issue through improved handling of XMLHttpRequest
headers. Credit to Per von Zweigbergk for reporting this issue.
WebKit
CVE-ID: CVE-2009-1698
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Viewing a maliciously crafted web page may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized pointer issue exists in the handling
of the CSS 'attr' function. Viewing a maliciously crafted web page
may lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue through additional
validation of CSS elements. Credit to Thierry Zoller working with
TippingPoint's Zero Day Initiative, and Robert Swiecki of the Google
Security Team for reporting this as a security issue.
WebKit
CVE-ID: CVE-2009-1699
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Visiting a maliciously crafted website may result in an
information disclosure
Description: An XML External Entity issue exists in WebKit's
handling of XML. Visiting a maliciously crafted website may result in
the website being able to read files from the user's system. This
update addresses the issue by not loading external entities across
origins. Credit to Chris Evans of Google Inc. for reporting this
issue.
WebKit
CVE-ID: CVE-2009-1700
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Visiting a maliciously crafted website may result in the
disclosure of sensitive information
Description: WebKit does not properly handle redirects when
processing Extensible Stylesheet Language Transformations
(XSLT). This allows a maliciously crafted website to retrieve XML
content from pages on other websites, which could result in the
disclosure of sensitive information. This update addresses the issue
by ensuring that documents referenced in transformations are
downloaded from the same domain as the transformation itself. Credit
to Chris Evans of Google Inc. for reporting this issue.
WebKit
CVE-ID: CVE-2009-1701
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A use-after-free issue exists in WebKit's handling of
the JavaScript DOM. Visiting a maliciously crafted website may lead
to an unexpected application termination or arbitrary code execution.
This update addresses the issue through improved handling of document
elements. Credit to wushi & ling of team509 working with
TippingPoint's Zero Day Initiative for reporting this issue.
WebKit
CVE-ID: CVE-2009-1702
Available for: iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1
Impact: Visiting a malicious website may lead to a cross-site
scripting attack
Description: An issue in WebKit's handling of Location and History
objects may result in a cross-site scripting attack when visiting a
malicious website. This update addresses the issue through improved
handling of Location and History objects. Credit to Adam Barth and
Joel Weinberger of UC Berkeley for reporting this issue.
Installation note:
This update is only available through iTunes, and will not appear in
your computer's Software Update application, or in the Apple
Downloads site. Make sure you have an internet connection and have
installed the latest version of iTunes from www.apple.com/itunes/
iTunes will automatically check Apple's update server on its weekly
schedule. When an update is detected, it will download it. When
the iPhone or iPod touch is docked, iTunes will present the user with
the option to install the update. We recommend applying the update
immediately if possible. Selecting "don't install" will present the
option the next time you connect your iPhone or iPod touch.
The automatic update process may take up to a week depending on the
day that iTunes checks for updates. You may manually obtain the
update via the "Check for Update" button within iTunes. After doing
this, the update can be applied when your iPhone or iPod touch is
docked to your computer.
To check that the iPhone or iPod touch has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update will be
"3.0 (7A341)" or later
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/