Multiple vulnerabilities have been reported in Apple iOS, which can be exploited by malicious people with physical access to disclose certain information and by malicious people to conduct script insertion, cross-site scripting, and spoofing attacks, disclose sensitive information, bypass certain security restrictions, cause a DoS (Denial of Service), and compromise a user's device.
1) An error within the CalDAV component does not properly validate the SSL certificate when synchronizing the calendar, which can be exploited to disclose encrypted information e.g. using a Man-in-the-Middle (MitM) attack.
2) Input passed via invitation notes is not properly sanitised in Calendar before being returned to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious invitation is being viewed.
3) The CFNetwork component stores a user's AppleID password and username in the log file readable by applications, which can be exploited to disclose the credentials.
4) The CFNetwork component does not properly restrict cross-domain access of HTTP cookies, which can be exploited to access the cookies of another web site.
5) An error exists within CoreFoundation when handling string tokenization.
For more information see vulnerability #1 in: SA46339
6) Multiple errors within CoreGraphics when handling the certain freetype fonts can be exploited to corrupt memory.
7) An error within CoreMedia does not properly handle cross-site redirects and can be exploited to disclose video data.
8) An error exits within the Data Access component when handling multiple accounts configured on the same server and can be exploited to disclose the cookie of another account.
9) The application accepts X.509 certificates with MD5 hashes, which could lead to weak cryptographic certificates being used. This can be exploited to disclose encrypted information e.g. using a Man-in-the-Middle (MitM) attack.
10) A design error exists within the implementation of SSL 3.0 and TLS 1.0 protocols.
11) An error within ImageIO when handling CCITT Group 4 encoded TIFF files can be exploited to cause a buffer overflow.
For more information see vulnerability #1 in: SA43593
12) An error in ImageIO within the handling of CCITT Group 4 encoded TIFF image files can be exploited to cause a heap-based buffer overflow.
For more information see vulnerability #9 in: SA45325
13) An error within ICU (International Components for Unicode) can be exploited to cause a buffer overflow.
For more information see vulnerability #11 in: SA45054
14) An error within the kernel does not reclaim memory from incomplete TCP connections, which can be exploited to exhaust system resources by connecting to a listening service and cause the device to reset.
15) A NULL-pointer dereference error within the kernel when handling IPv6 socket options can be exploited to cause the device to reset.
16) An error within libxml can be exploited to cause a heap-based buffer overflow.
For more information see vulnerability #12 in: SA45325
17) An error in the OfficeImport framework when processing certain records within Microsoft Word files can be exploited to corrupt memory.
18) An error within OfficeImport when viewing certain Microsoft Excel files can be exploited to cause a buffer overflow.
19) An indexing error exists in the OfficeImport framework when processing certain records in a Microsoft Word file.
For more information see vulnerability #19 in: SA45054
20) An error in the OfficeImport framework when processing records can be exploited to corrupt memory.
For more information see vulnerability #28 in: SA43814
21) An error in MobileSafari when handling the HTTP "Content-Disposition" header can be exploited to open an attachment without showing the "Open" dialog prompt and conduct cross-site scripting attacks.
22) The parental restrictions feature stores the restrictions passcode in plaintext on disk and can be exploited to disclose the passcode.
23) An error within UIKit does not properly handle "tel:" URIs and can be exploited to cause the device to hang by tricking the user into visiting a malicious website.
24) Some vulnerabilities are caused due to a bundled vulnerable version of WebKit.
25) The WiFi credentials are stored in a file readable by other applications, which may lead to the credentials being disclosed.
Successful exploitation of vulnerabilities #6, #16 – #20, and #24 may allow execution of arbitrary code.
Solution: Apply iOS 5 Software Update.
Provided and/or discovered by: 1) Leszek Tasiemski, nSense.
6, 9) Reported by the vendor.
17) Tobias Klein via iDefense.
21) Christian Matthies via iDefense.
21) Yoshinori Oota, Business Architects via JP/CERT.
The vendor credits:
2) Rick Deacon
3) Peter Quade, qdevelop
4) Erling Ellingsen, Facebook.
7) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
8) Bob Sielken, IBM
14) Wouter van der Veer, Topicus and Josh Enders
15) Thomas Clement, Intego
18) Tobias Klein, www.trapkit.de
22) An anonymous person
23) Simon Young, Anglia Ruskin University
25) Laurent OUDOT, TEHTRI Security
Original Advisory: Apple:
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to firstname.lastname@example.org
Subject: Apple iOS Multiple Vulnerabilities
No posts yet
You must be logged in to post a comment.
Secunia Customer Login
Not a customer already?
Learn more about how our market leading Vulnerability Management solutions can help you manage risk and ensure compliance.