---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Apple iOS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA50586 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/50586/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=50586 RELEASE DATE: 2012-09-20 DISCUSS ADVISORY: http://secunia.com/advisories/50586/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/50586/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=50586 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Apple iOS, which can be exploited by malicious, local users to disclose system information and gain escalated privileges, by malicious people to disclose potentially sensitive information, conducts spoofing attacks, and compromise a user's device, and by malicious people with physical access to disclose potentially sensitive information and bypass certain security restrictions. 1) An error in CFNetwork when handling certain URLs can be exploited to submit data to an incorrect hostname. 2) Some vulnerabilities exist in the bundled version of FreeType. For more information: SA48268 3) An error in CoreMedia when processing Sorenson encoded movies can be exploited to dereference uninitialized memory. 4) An error in DHCP when connection to WiFi networks may disclose a MAC address of previously accessed networks via DNAv4 protocol. 5) ImageIO bundles a vulnerable version of LibTIFF library. For more information: SA43593 SA48684 6) ImageIO bundles a vulnerable version of libpng library. For more information: SA46148 SA48026 SA48587 7) An double-free error exists in ImageIO when processing JPEG images. 8) An error in International Components for Unicode when handling locale IDs can be exploited to cause a stack-based buffer overflow. 9) A boundary error in IPSec when loading racoon configuration files can be exploited to cause a buffer overflow. 10) An error in the kernel when handling packet filter IOCTLs can be exploited to dereference an invalid pointer. 11) An error in the kernel when related to BPF interpreter can be exploited to disclose certain memory content. 12) Some vulnerabilities exist in the bundled version of libxml library. For more information: SA44711 SA46632 13) An error in Mail when handling attachments can be exploited to disclose a unintended attachments via the "Content-ID" field. 14) An error in Mail within Data Protection on attachments can be exploited to access an attachment without a passcode. 15) An error in Mail when processing S/MIME signed messages does not display the correct identity of a signer and can be exploited to spoof an identity via the "From" field. 16) An error in Messages when multiple email addresses are used may result in replies being sent using the wrong address. 17) An error in Office Viewer when processing document files may result in data being stored in temporary files in a decrypted state even when data protection / encryption is enabled. 18) An error in OpenGL when performing GLSL compilation can be exploited to corrupt memory. 19) An error in Passcode Lock related to "Slide to Power Off" slider may disclose the last used third party application. 20) An error in Passcode Lock related to termination of FaceTime calls may allow bypassing the screen lock. 21) An error in Passcode Lock related to lock screen photos may disclose all photos accessible at the lock screen. 22) An error in Passcode Lock related to Emergency Dialer screen may allow making FaceTime calls and disclose user's contacts. 23) An error in Passcode Lock related to the camera usage may allow bypassing the screen lock. 24) An error in Passcode Lock related lock state management may allow bypassing the screen lock. 25) An error in Restrictions during purchase transactions may result in transaction being made without the Appled ID credentials. 26) An error in Safari when handling certain Unicode characters may allow spoofing the lock icon in the page title. 27) An error in Safari when handling password input elements with a disabled "autocomplete" attribute allowed the input to be autocompleted. 28) An error in System Logs due to weak restrictions on the "/var/log" directory can be exploited by sandboxed applications to disclose log details. 29) An error in Telephony did not properly display the return address of SMS messages. 30) An off-by-one error in Telephony when handling SMS data headers can be exploited to disable cellular activity. 31) An error in UIKit within UIWebView may result in unencrypted files being stored even when a passcode is enabled. 32) Multiple vulnerabilities exist in WebKit. For more information: SA46594 SA47231 SA47694 SA47938 SA48016 SA48265 SA48274 SA48512 SA48618 SA48732 SA48992 SA49194 SA49277 SA49724 SA49906 SA50058 SOLUTION: Upgrade to iOS 6 via Software Update. PROVIDED AND/OR DISCOVERED BY: 8, 28) Reported by the vendor. The vendor also credits: 1) Erling Ellingsen, Facebook 3) Will Dormann, CERT/CC 4) Mark Wuergler, Immunity, Inc. 7) Phil, PKJE Consulting 9, 10) iOS Jailbreak Dream Team 11) Dan Rosenberg 13) Angelo Prado, salesforce.com Product Security Team 14) Stephen Prairie, Travelers Insurance, Erich Stuntebeck of AirWatch 15) Anonymous person 16) Rodney S. Foley, Gnomesoft, LLC 17) Salvatore Cataudella, Open Systems Technologies 19) Chris Lawrence, DBB 20, 24) Ian Vitek, 2Secure AB 21, 22) Ade Barkah, BlueWax Inc. 23) Sebastian Spanninger, Austrian Federal Computing Centre (BRZ) 25) Kevin Makens, Redwood High School 26) Boku Kihara, Lepidum 27) Dan Poltawski, Moodle 29, 30) pod2g 31) Ben Smith, Box ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT5503 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------