Multiple vulnerabilities have been reported in Apple iOS, which can be exploited by malicious people with physical access to disclose certain information and by malicious people to conduct script insertion, cross-site scripting, and spoofing attacks, disclose sensitive information, bypass certain security restrictions, cause a DoS (Denial of Service), and compromise a user's device.

1) An error within the CalDAV component does not properly validate the SSL certificate when synchronizing the calendar, which can be exploited to disclose encrypted information e.g. using a Man-in-the-Middle (MitM) attack.

2) Input passed via invitation notes is not properly sanitised in Calendar before being returned to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious invitation is being viewed.

3) The CFNetwork component stores a user's AppleID password and username in the log file readable by applications, which can be exploited to disclose the credentials.

4) The CFNetwork component does not properly restrict cross-domain access of HTTP cookies, which can be exploited to access the cookies of another web site.

5) An error exists within CoreFoundation when handling string tokenization.

For more information see vulnerability #1 in:
SA46339

6) Multiple errors within CoreGraphics when handling the certain freetype fonts can be exploited to corrupt memory.

7) An error within CoreMedia does not properly handle cross-site redirects and can be exploited to disclose video data.

8) An error exits within the Data Access component when handling multiple accounts configured on the same server and can be exploited to disclose the cookie of another account.

9) The application accepts X.509 certificates with MD5 hashes, which could lead to weak cryptographic certificates being used. This can be exploited to disclose encrypted information e.g. using a Man-in-the-Middle (MitM) attack.

10) A design error exists within the implementation of SSL 3.0 and TLS 1.0 protocols.

For more information:
SA46168

11) An error within ImageIO when handling CCITT Group 4 encoded TIFF files can be exploited to cause a buffer overflow.

For more information see vulnerability #1 in:
SA43593

12) An error in ImageIO within the handling of CCITT Group 4 encoded TIFF image files can be exploited to cause a heap-based buffer overflow.

For more information see vulnerability #9 in:
SA45325

13) An error within ICU (International Components for Unicode) can be exploited to cause a buffer overflow.

For more information see vulnerability #11 in:
SA45054

14) An error within the kernel does not reclaim memory from incomplete TCP connections, which can be exploited to exhaust system resources by connecting to a listening service and cause the device to reset.

15) A NULL-pointer dereference error within the kernel when handling IPv6 socket options can be exploited to cause the device to reset.

16) An error within libxml can be exploited to cause a heap-based buffer overflow.

For more information see vulnerability #12 in:
SA45325

17) An error in the OfficeImport framework when processing certain records within Microsoft Word files can be exploited to corrupt memory.

18) An error within OfficeImport when viewing certain Microsoft Excel files can be exploited to cause a buffer overflow.

19) An indexing error exists in the OfficeImport framework when processing certain records in a Microsoft Word file.

For more information see vulnerability #19 in:
SA45054

20) An error in the OfficeImport framework when processing records can be exploited to corrupt memory.

For more information see vulnerability #28 in:
SA43814

21) An error in MobileSafari when handling the HTTP "Content-Disposition" header can be exploited to open an attachment without showing the "Open" dialog prompt and conduct cross-site scripting attacks.

22) The parental restrictions feature stores the restrictions passcode in plaintext on disk and can be exploited to disclose the passcode.

23) An error within UIKit does not properly handle "tel:" URIs and can be exploited to cause the device to hang by tricking the user into visiting a malicious website.

24) Some vulnerabilities are caused due to a bundled vulnerable version of WebKit.

For more information:
SA43519
SA43683
SA43696
SA43859
SA45097
SA45325
SA45325
SA45498
SA45498
SA46339
SA46412

25) The WiFi credentials are stored in a file readable by other applications, which may lead to the credentials being disclosed.

Successful exploitation of vulnerabilities #6, #16 – #20, and #24 may allow execution of arbitrary code.

Solution
Apply iOS 5 Software Update.

Provided and/or discovered by
1) Leszek Tasiemski, nSense.
6, 9) Reported by the vendor.
17) Tobias Klein via iDefense.
21) Christian Matthies via iDefense.
21) Yoshinori Oota, Business Architects via JP/CERT.

The vendor credits:
2) Rick Deacon
3) Peter Quade, qdevelop
4) Erling Ellingsen, Facebook.
7) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
8) Bob Sielken, IBM
14) Wouter van der Veer, Topicus and Josh Enders
15) Thomas Clement, Intego
18) Tobias Klein, www.trapkit.de
22) An anonymous person
23) Simon Young, Anglia Ruskin University
25) Laurent OUDOT, TEHTRI Security

Changelog
Further details available to Secunia VIM customers

Original Advisory
Apple:
http://support.apple.com/kb/HT4999

nSense:
http://www.nsense.fi/advisories/nsense_2011_006.txt

iDefense:
https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=950
https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=951

JVN (English):
http://jvn.jp/en/jp/JVN41657660/index.html

JVN (Japanese):
http://jvndb.jvn.jp/ja/contents/2011/JVNDB-2011-000088.html

Other references
Further details available to Secunia VIM customers

Deep Links
Links available to Secunia VIM customers