Home / mailingsPDF  

APPLE-SA-2010-06-21-1 iOS 4

Posted on 21 June 2010
Apple Security-announce

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2010-06-21-1 iOS 4

iOS 4 is now available and addresses the following:

Application Sandbox
CVE-ID: CVE-2010-1751
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: An application may be able to infer the user's location
without authorization
Description: The Application Sandbox does not prevent applications
from directly accessing the user's photo library. This may allow an
application to determine visited locations without authorization.
This issue is addressed by modifying the Application Sandbox to
prevent direct access to the user's photo library. Credit to Zac
White for reporting this issue.

CFNetwork
CVE-ID: CVE-2010-1752
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A stack overflow exists in CFNetwork's URL handling
code. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved memory handling. Credit to
Laurent OUDOT of TEHTRI-Security for reporting this issue.

ImageIO
CVE-ID: CVE-2010-0041
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may result in sending
data from Safari's memory to the website
Description: An uninitialized memory access issue exists in
ImageIO's handling of BMP images. Visiting a maliciously crafted
website may result in sending data from Safari's memory to the
website. This issue is addressed through improved memory
initialization and additional validation of BMP images. Credit to
Matthew 'j00ru' Jurczyk of Hispasec for reporting this issue.

ImageIO
CVE-ID: CVE-2010-0042
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may result in sending
data from Safari's memory to the website
Description: An uninitialized memory access issue exists in
ImageIO's handling of TIFF images. Visiting a maliciously crafted
website may result in sending data from Safari's memory to the
website. This issue is addressed through improved memory
initialization and additional validation of TIFF images. Credit to
Matthew 'j00ru' Jurczyk of Hispasec for reporting this issue.

ImageIO
CVE-ID: CVE-2010-0043
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Processing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the handling of
TIFF images. Processing a maliciously crafted TIFF image may lead to
an unexpected application termination or arbitrary code execution.
This issue is addressed through improved memory handling. Credit to
Gus Mueller of Flying Meat for reporting this issue.

ImageIO
CVE-ID: CVE-2010-1753
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Processing a maliciously crafted JPEG image may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the handling of
JPEG images. Processing a maliciously crafted JPEG image may lead to
an unexpected application termination or arbitrary code execution.
This issue is addressed through improved memory handling. Credit to
Ladd Van Tol of Critical Path Software for reporting this issue.

LibSystem
CVE-ID: CVE-2009-0689
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Applications that convert untrusted data between binary
floating point and text may be vulnerable to an unexpected
application termination or arbitrary code execution
Description: A buffer overflow exists in the floating point binary
to text conversion code within Libsystem. An attacker who can cause
an application to convert a floating point value into a long string,
or to parse a maliciously crafted string as a floating point value,
may be able to cause an unexpected application termination or
arbitrary code execution. This issue is addressed through improved
bounds checking. Credit to Maksymilian Arciemowicz of
SecurityReason.com for reporting this issue.

libxml
CVE-ID: CVE-2009-2414, CVE-2009-2416
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Parsing maliciously crafted XML content may lead to an
unexpected application termination
Description: Multiple use after free issues exist in libxml2, the
most serious of which may lead to an unexpected application
termination. The issues are addressed through improved memory
handling. Credit to Rauli Kaksonen and Jukka Taimisto from the CROSS
project at Codenomicon Ltd. for reporting these issues.

Passcode Lock
CVE-ID: CVE-2010-1754
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Remote Lock via MobileMe may not be effective in preventing
access
Description: If the device is unlocked in response to an alert, such
as receiving a text message or voicemail, and MobileMe is then used
to Remote Lock the device, then the next unlock of the device will
have the passcode already entered. A person with physical access to
the device will not require the passcode in this situation. This
issue is addressed by properly clearing the passcode. Credit to
Sidney San Martin of DeepTech, Inc. for reporting this issue.

Passcode Lock
CVE-ID: CVE-2010-1775
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: A person with physical access to a device may be able to
access the user's data
Description: A device with a passcode set may only be paired with a
computer if the device is unlocked. A race condition permits pairing
for a short period after the initial boot, if the device was unlocked
before powering down. If the device was shut down from a locked
state, this issue does not occur. This issue is addressed through
improved checking for the locked state.

Safari
CVE-ID: CVE-2010-1755
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Cookies may be set by third-party sites even when the Accept
Cookies preference is set to "From visited" or "Never"
Description: An implementation issue exists in the handling of
cookie preferences. Cookie preferences are not applied until Safari
is restarted. Cookies may be set by third-party sites even when the
Accept Cookies preference is set to "From visited" or "Never". This
issue is addressed by applying the Accept Cookies preference. Credit
to Jason Dent o Street Side Software for reporting this issue.

Safari
CVE-ID: CVE-2010-1384
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: A maliciously crafted URL may be obfuscated, making phishing
attacks more effective
Description: Safari supports the inclusion of user information in
URLs, which allows the URL to specify a username and password to
authenticate the user to the named server. These URLs are often used
to confuse users, which can potentially aid phishing attacks. Safari
is updated to display a warning before navigating to an HTTP or HTTPS
URL containing user information. Credit to Abhishek Arya of Google,
Inc. for reporting this issue.

Safari
CVE-ID: CVE-2009-1723
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: A maliciously crafted website may control the displayed
website URL while a certificate warning is displayed
Description: When Safari reaches a website via a 302 redirection and
a certificate warning is displayed, the URL bar will contain the
original website URL instead of the current website URL. This may
allow a maliciously crafted website that is reached via an open
redirector on a user-trusted website to control the displayed website
URL while a certificate warning is displayed. This issue is addressed
by returning the correct URL in the underlying CFNetwork layer.
Credit to Kevin Day of Your.Org, and Jason Mueller of Indiana
University for reporting this issue.

Settings
CVE-ID: CVE-2010-1756
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: A user may be misled as to the actual operational wireless
network
Description: A design issue exists in the Settings application. When
connected a hidden wireless network, the Settings application may
incorrectly indicate another wireless network. This issue is
addressed by properly displaying the active wireless network. Credit
to Wilfried Teiken for reporting this issue.

WebKit
CVE-ID: CVE-2009-2195
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in WebKit's parsing of
floating point numbers. Visiting a maliciously crafted website may
lead to an unexpected application termination or arbitrary code
execution. The issue is addressed through improved bounds checking.
Credit: Apple.

WebKit
CVE-ID: CVE-2009-2816
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may result in
unexpected actions on other websites
Description: An issue exists in WebKit's implementation of Cross-
Origin Resource Sharing. Before allowing a page from one origin to
access a resource in another origin, WebKit sends a preflight request
to the latter server for access to the resource. WebKit includes
custom HTTP headers specified by the requesting page in the preflight
request. This can facilitate cross-site request forgery. This issue
is addressed by removing custom HTTP headers from preflight requests.
Credit: Apple.

WebKit
CVE-ID: CVE-2010-0544
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may result in a
cross-site scripting attack
Description: An issue in Webkit's handling of malformed URLs may
result in a cross-site scripting attack when visiting a maliciously
crafted website. This issue is addressed through improved handling of
URLs. Credit to Michal Zalewski of Google, Inc. for reporting this
issue.

WebKit
CVE-ID: CVE-2010-1395
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a malicious site may lead to a cross-site scripting
attack
Description: A scope management issue exists in WebKit's handling of
event objects. Visiting a malicious site may lead to a cross-site
scripting attack. This issue is addressed through improved handling
of event objects. Credit to Gianni "gf3" Chiappetta of Runlevel6 for
reporting this issue.

WebKit
CVE-ID: CVE-2010-0051
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An implementation issue exists in WebKit's handling of
cross-origin stylesheet requests. Visiting a maliciously crafted
website may disclose the content of protected resources on another
website. This issue is addressed by performing additional validation
on stylesheets that are loaded during a cross-origin request.

WebKit
CVE-ID: CVE-2010-1390
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a website using UTF-7 encoding may lead to a cross-
site scripting attack
Description: A canonicalization issue exists in WebKit's handling of
UTF-7 encoded text. An HTML quoted string may be left unterminated,
leading to a cross-site scripting attack or other issues. This issue
is addressed by removing support for UTF-7 encoding in WebKit. Credit
to Masahiro Yamada for reporting this issue.

WebKit
CVE-ID: CVE-2010-0047
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A use-after-free issue exists in the handling of HTML
object element fallback content. Visiting a maliciously crafted
website may lead to an unexpected application termination or
arbitrary code execution. This issue is addressed through improved
memory reference tracking. Credit to wushi of team509, working with
TippingPoint's Zero Day Initiative for reporting this issue.

WebKit
CVE-ID: CVE-2010-0053
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A use-after-free issue exists in the rendering of
content with a CSS display property set to 'run-in'. Visiting a
maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution. This issue is addressed
through improved memory reference tracking. Credit to wushi of
team509, working with TippingPoint's Zero Day Initiative for
reporting this issue.

WebKit
CVE-ID: CVE-2010-0050
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A use-after-free issue exists in WebKit's handling of
incorrectly nested HTML tags. Visiting a maliciously crafted website
may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved memory reference
tracking. Credit to wushi&Z of team509 working with TippingPoint's
Zero Day Initiative for reporting this issue.

WebKit
CVE-ID: CVE-2010-1406
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting an HTTPS site which redirects to an HTTP site may
lead to an information disclosure
Description: When WebKit is redirected from an HTTPS site to an HTTP
site, the Referer header is passed to the HTTP site. This can lead to
the disclosure of sensitive information contained in the URL of the
HTTPS site. This issue is addressed by not passing the Referer header
when an HTTPS site redirects to an HTTP site. Credit to Colin
Percival of Tarsnap for reporting this issue.

WebKit
CVE-ID: CVE-2010-0048
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A use-after-free issue exists in WebKit's parsing of
XML documents. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved memory reference tracking.

WebKit
CVE-ID: CVE-2010-0046
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's handling
of CSS format() arguments. Visiting a maliciously crafted website may
lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved handling of CSS
format() arguments. Credit to Robert Swiecki of Google Inc. for
reporting this issue.

WebKit
CVE-ID: CVE-2010-0052
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A use-after-free issue exists in WebKit's handling of
callbacks for HTML elements. Visiting a maliciously crafted website
may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved memory reference
tracking. Credit: Apple.

WebKit
CVE-ID: CVE-2010-1397
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A use after free issue exists in WebKit's rendering of
a selection when the layout changes. Visiting a maliciously crafted
website may lead to an unexpected application termination or
arbitrary code execution. This issue is addressed through improved
handling of selections. Credit to wushi&Z of team509, working with
TippingPoint's Zero Day Initiative for reporting this issue.

WebKit
CVE-ID: CVE-2010-0049
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A use-after-free issue exists in the handling of HTML
elements containing right-to-left displayed text. Visiting a
maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution. This issue is addressed
through improved memory reference tracking. Credit to wushi&Z of
team509 for reporting this issue.

WebKit
CVE-ID: CVE-2010-1393
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
information disclosure
Description: An information disclosure issue exists in WebKit's
handling of Cascading Stylesheets. If a stylesheet's HREF attribute
is set to a URL that causes a redirection, scripts on the page may be
able to access the redirected URL. Visiting a maliciously crafted
website may lead to the disclosure of sensitive URLs on another site.
This issue is addressed by returning the original URL to scripts,
rather than the redirected URL.

WebKit
CVE-ID: CVE-2010-0054
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A use-after-free issue exists in WebKit's handling of
HTML image elements. Visiting a maliciously crafted website may lead
to an unexpected application termination or arbitrary code execution.
This issue is addressed through improved memory reference tracking.
Credit: Apple.

WebKit
CVE-ID: CVE-2010-1119
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A use after free issue exists in WebKit's handling of
attribute manipulation. Visiting a maliciously crafted website may
lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved memory reference
tracking. Credit to Michal Zalewski of Google, Inc., and Ralf Philipp
Weinmann working with TippingPoint's Zero Day Initiative for
reporting this issue.

WebKit
CVE-ID: CVE-2010-1387
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A use after free issue exists in JavaScriptCore during
page transitions. Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution.
This issue is addressed through improved memory management.

WebKit
CVE-ID: CVE-2010-1400
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A use after free issue exists in WebKit's handling of
caption elements. Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution.
This issue is addressed through improved handling of caption
elements. Credit to regenrecht working with iDefense for reporting
this issue.

WebKit
CVE-ID: CVE-2010-1409
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may allow remotely
specified data to be sent to an IRC server
Description: Common IRC service ports are not included in WebKit's
port blacklist. Visiting a maliciously crafted website may allow
remotely specified data to be sent to an IRC server. This may cause
the server to take unintended actions on the user's behalf. This
issue is addressed by adding the affected ports to WebKit's port
blacklist.

WebKit
CVE-ID: CVE-2010-1398
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's handling
of ordered list insertions. Visiting a maliciously crafted website
may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved handling of list
insertions. Credit to wushi of team509, working with TippingPoint's
Zero Day Initiative for reporting this issue.

WebKit
CVE-ID: CVE-2010-1402
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A double free issue exists in WebKit's handling of
event listeners in SVG images. Visiting a maliciously crafted website
may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved handling of SVG
images. Credit to wushi of team509, working with TippingPoint's Zero
Day Initiative for reporting this issue.

WebKit
CVE-ID: CVE-2010-1394
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A design issue exists in WebKit's handling of HTML
document fragments. The contents of HTML document fragments are
processed before a fragment is actually added to a document. Visiting
a maliciously crafted website could lead to a cross-site scripting
attack if a legitimate website attempts to manipulate a document
fragment containing untrusted data. This issue is addressed by
ensuring that initial fragment parsing has no side effects on the
document that created the fragment. Credit to Eduardo Vela Nava
(sirdarckcat) of Google Inc. for reporting this issue.

WebKit
CVE-ID: CVE-2010-1399
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue exists in WebKit's
handling of selection changes on form input elements. Visiting a
maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution. This issue is addressed
through improved handling of selections. Credit to wushi of team509,
working with TippingPoint's Zero Day Initiative for reporting this
issue.

WebKit
CVE-ID: CVE-2010-1396
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A use after free issue exists in WebKit's handling of
the removal of container elements. Visiting a maliciously crafted
website may lead to an unexpected application termination or
arbitrary code execution. This issue is addressed through improved
memory reference tracking. Credit to wushi of team509, working with
TippingPoint's Zero Day Initiative for reporting this issue.

WebKit
CVE-ID: CVE-2010-1401
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A use after free issue exists in WebKit's handling of
the ':first-letter' pseudo-element in cascading stylesheets. Visiting
a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution. This issue is addressed
through improved handling of the ':first-letter' pseudo-element.
Credit to wushi of team509, working with TippingPoint's Zero Day
Initiative for reporting this issue.

WebKit
CVE-ID: CVE-2010-1403
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue exists in WebKit's
handling of malformed XML when rendering SVG images. Visiting a
maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution. This issue is addressed
through improved handling of SVG images. Credit to wushi of team509,
working with TippingPoint's Zero Day Initiative, for reporting this
issue.

WebKit
CVE-ID: CVE-2010-1404
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A use after free issue exists in WebKit's handling of
SVG images with multiple 'use' elements. Visiting a maliciously
crafted website may lead to an unexpected application termination or
arbitrary code execution. This issue is addressed through improved
handling of 'use' elements in SVG images. Credit to wushi of team509,
working with TippingPoint's Zero Day Initiative for reporting this
issue.

WebKit
CVE-ID: CVE-2010-1410
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's handling
of malformed XML in SVG images. Visiting a maliciously crafted
website may lead to an unexpected application termination or
arbitrary code execution. This issue is addressed through improved
handling of XML in SVG images. Credit to Aki Helin of OUSPG for
reporting this issue.

WebKit
CVE-ID: CVE-2010-1391
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may cause files to be
created in arbitrary user-writable locations
Description: A path traversal issue exists in WebKit's support for
Local Storage and Web SQL databases. If accessed from an application-
defined scheme containing '%2f' (/) or '%5c' () and '..' in the host
section of the URL, a maliciously crafted website may cause database
files to be created outside of the designated directory. This issue
is addressed by encoding characters that may have special meaning in
pathnames. This issue does not affect sites served from http: or
https: schemes. Credit: Apple.

WebKit
CVE-ID: CVE-2010-1408
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may result in sending
remotely specified data to arbitrary TCP ports
Description: An integer truncation issue exists in WebKit's handling
of requests to non-default TCP ports. Visiting a maliciously crafted
website may result in sending remotely specified data to arbitrary
TCP ports. This issue is addressed by ensuring that port numbers are
within the valid range.

WebKit
CVE-ID: CVE-2010-1392
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A use after free issue exists in WebKit's rendering of
HTML buttons. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved memory management. Credit to
Matthieu Bonetti of VUPEN Vulnerability Research Team for reporting
this issue.

WebKit
CVE-ID: CVE-2010-1405
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A use after free issue exists in WebKit's handling of
HTML elements with custom vertical positioning. Visiting a
maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution. This issue is addressed
through improved memory reference tracking. Credit to Ojan Vafai of
Google Inc. for reporting this issue.

WebKit
CVE-ID: CVE-2010-1407
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may result in an
information disclosure
Description: An information disclosure issue exists in WebKit's
handling of the 'history.replaceState' method. Within an iframe,
calls to replaceState affect the parent frame even if the parent is
in a separate origin. Visiting a maliciously crafted website may
result in an information disclosure. This issue is addressed by
restricting the operation of replaceState calls to the current frame.
Credit to Darin Fisher of Google Inc. for reporting this issue.

WebKit
CVE-ID: CVE-2010-1757
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Websites with embedded iframe elements may be vulnerable to
user interface spoofing
Description: Safari allows an iframe element to display content
outside its boundaries, which may lead to user interface spoofing.
This issue is addressed by not allowing iframe elements to display
content outside their boundaries. Credit to Wayne Pan of AdMob, Inc.
for reporting this issue.

WebKit
CVE-ID: CVE-2010-1413
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: A user's NTLM credentials may be exposed to a man in the
middle attacker
Description: In certain circumstances, WebKit may send NTLM
credentials in plain text. This would allow a man in the middle
attacker to view the NTLM credentials. This issue is addressed
through improved handling of NTLM credentials. Credit: Apple.

WebKit
CVE-ID: CVE-2010-1389
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Dragging or pasting a selection may lead to a cross-site
scripting attack
Description: Dragging or pasting a selection from one site to
another may allow scripts contained in the selection to be executed
in the context of the new site. This issue is addressed through
additional validation of content before a paste or a drag and drop
operation. Credit to Paul Stone of Context Information Security for
reporting this issue.

WebKit
CVE-ID: CVE-2010-0544
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may result in a
cross-site scripting attack
Description: An issue in Webkit's handling of malformed URLs may
result in a cross-site scripting attack when visiting a maliciously
crafted website. This issue is addressed through improved handling of
URLs. Credit to Michal Zalewski of Google, Inc. for reporting this
issue.

WebKit
CVE-ID: CVE-2010-1417
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's rendering
of CSS-styled HTML content with multiple :after pseudo-selectors.
Visiting a maliciously crafted website may lead to an unexpected
application termination or arbitrary code execution. This issue is
addressed through improved rendering of HTML content. Credit to wushi
of team509 for reporting this issue.

WebKit
CVE-ID: CVE-2010-1414
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A use after free issue exists in WebKit's handling of
the removeChild DOM method. Visiting a maliciously crafted website
may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved handling of child
element removal. Credit to Mark Dowd of Azimuth Security for
reporting this issue.

WebKit
CVE-ID: CVE-2010-1418
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: An input validation issue exists in WebKit's handling
of the src attribute of the frame element. An attribute with a
javascript scheme and leading spaces is considered valid. Visiting a
maliciously crafted website could lead to a cross-site scripting
attack. This update addresses the issue by properly validating
frame.src before the URL is dereferenced. Credit to Sergey Glazunov
for reporting this issue.

WebKit
CVE-ID: CVE-2010-1416
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may disclose images
from other sites
Description: A cross-site image capture issue exists in WebKit. By
using a canvas with an SVG image pattern, a maliciously crafted
website may load and capture an image from another website. This
issue is addressed by restricting the reading of canvases that
contain patterns loaded from other websites. Credit to Chris Evans of
Google Inc. for reporting this issue.

WebKit
CVE-ID: CVE-2010-1415
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: An API abuse issue exists in WebKit's handling of
libxml contexts. Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution.
This issue is addressed through improved handling of libxml context
objects. Credit to Aki Helin of OUSPG for reporting this issue.

WebKit
CVE-ID: CVE-2010-1758
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A use after free issue exists in WebKit's handling of
DOM Range objects. Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution.
This issue is addressed through improved handling of DOM Range
objects. Credit to Yaar Schnitman of Google Inc. for reporting this
issue.

WebKit
CVE-ID: CVE-2010-1759
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A use after free issue exists in WebKit's handling of
the Node.normalize method. Visiting a maliciously crafted website may
lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved handling of the
Node.normalize method. Credit to Mark Dowd for reporting this issue.

WebKit
CVE-ID: CVE-2010-1761
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later,
Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A use after free issue exists in WebKit's rendering
of HTML document subtrees. Visiting a maliciously crafted website may
lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved rendering of HTML
document subtrees. Credit to James Robinson of Google Inc. for
reporting this issue.

WebKit
CVE-ID: CVE-2010-1762
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A design issue exists in the handling of HTML contained
in textarea elements. Visiting a maliciously crafted website may lead
to a cross-site scripting attack. This issue is addressed through
improved validation of textarea elements. Credit to Eduardo Vela Nava
(sirdarckcat) of Google Inc. for reporting this issue.

WebKit
CVE-ID: CVE-2010-1769
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: An out of bounds memory access issue exists in WebKit's
handling of tables. Visiting a maliciously crafted website may lead
to an unexpected application termination or arbitrary code execution.
This issue is addressed through improved bounds checking. Credit to
wushi of team509 for reporting this issue.

WebKit
CVE-ID: CVE-2010-1774
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: An out of bounds memory access issue exists in WebKit's
handling of HTML tables. Visiting a maliciously crafted website may
lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved bounds checking.
Credit to wushi of team509 for reporting this issue.


Installation note:

These updates are only available through iTunes, and will not appear
in your computer's Software Update application, or in the Apple
Downloads site. Make sure you have an Internet connection and have
installed the latest version of iTunes from www.apple.com/itunes/

iTunes will automatically check Apple's update server on its weekly
schedule. When an update is detected, it will download it. When
the iPhone or iPod touch is docked, iTunes will present the user with
the option to install the update. We recommend applying the update
immediately if possible. Selecting Don't Install will present the
option the next time you connect your iPhone or iPod touch.

The automatic update process may take up to a week depending on the
day that iTunes checks for updates. You may manually obtain the
update via the Check for Updates button within iTunes. After doing
this, the update can be applied when your iPhone or iPod touch is
docked to your computer.

To check that the iPhone or iPod touch has been updated:

* Navigate to Settings
* Select General
* Select About. The version after applying this update will be
"4.0 (8A293)" or later.

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

 

TOP