----------------------------------------------------------------------

Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.

Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/ 

----------------------------------------------------------------------

TITLE:
Apple iOS Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA46377

VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46377/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377

RELEASE DATE:
2011-10-14

DISCUSS ADVISORY:
http://secunia.com/advisories/46377/#comments

AVAILABLE ON SITE AND IN CUSTOMER AREA:
 * Last Update
 * Popularity
 * Comments
 * Criticality Level
 * Impact
 * Where
 * Solution Status
 * Operating System / Software
 * CVE Reference(s)

http://secunia.com/advisories/46377/

ONLY AVAILABLE IN CUSTOMER AREA:
 * Authentication Level
 * Report Reliability
 * Secunia PoC
 * Secunia Analysis
 * Systems Affected
 * Approve Distribution
 * Remediation Status
 * Secunia CVSS Score
 * CVSS

https://ca.secunia.com/?page=viewadvisory&vuln_id=46377

ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
 * AUTOMATED SCANNING

http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/

DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people with physical access to disclose
certain information and by malicious people to conduct script
insertion, cross-site scripting, and spoofing attacks, disclose
sensitive information, bypass certain security restrictions, cause a
DoS (Denial of Service), and compromise a user's device.

1) An error within the CalDAV component does not properly validate
the SSL certificate when synchronizing the calendar, which can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.

2) Input passed via invitation notes is not properly sanitised in
Calendar before being returned to the user. This can be exploited to
insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious invitation is being viewed.

3) The CFNetwork component stores a user's AppleID password and
username in the log file readable by applications, which can be
exploited to disclose the credentials.

4) The CFNetwork component does not properly restrict cross-domain
access of HTTP cookies, which can be exploited to access the cookies
of another web site.

5) An error exists within CoreFoundation when handling string
tokenization.

For more information see vulnerability #1 in:
SA46339

6) Multiple errors within CoreGraphics when handling the certain
freetype fonts can be exploited to corrupt memory.

7) An error within CoreMedia does not properly handle cross-site
redirects and can be exploited to disclose video data.

8) An error exits within the Data Access component when handling
multiple accounts configured on the same server and can be exploited
to disclose the cookie of another account.

9) The application accepts X.509 certificates with MD5 hashes, which
could lead to weak cryptographic certificates being used. This can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.

10) A design error exists within the implementation of SSL 3.0 and
TLS 1.0 protocols.

For more information:
SA46168

11) An error within ImageIO when handling CCITT Group 4 encoded TIFF
files can be exploited to cause a buffer overflow.

For more information see vulnerability #1 in:
SA43593

12) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.

For more information see vulnerability #9 in:
SA45325

13) An error within ICU (International Components for Unicode) can be
exploited to cause a buffer overflow.

For more information see vulnerability #11 in:
SA45054

14) An error within the kernel does not reclaim memory from
incomplete TCP connections, which can be exploited to exhaust system
resources by connecting to a listening service and cause the device
to reset.

15) A NULL-pointer dereference error within the kernel when handling
IPv6 socket options can be exploited to cause the device to reset.

16) An error within libxml can be exploited to cause a heap-based
buffer overflow.

For more information see vulnerability #12 in:
SA45325

17) An error within OfficeImport when viewing certain Microsoft Word
files can be exploited to cause a buffer overflow.

18) An error within OfficeImport when viewing certain Microsoft Excel
files can be exploited to cause a buffer overflow.

19) An indexing error exists in the OfficeImport framework when
processing certain records in a Microsoft Word file.

For more information see vulnerability #19 in:
SA45054

20) An error in the OfficeImport framework when processing records
can be exploited to corrupt memory.

For more information see vulnerability #28 in:
SA43814

21) An error within Safari does not properly handle the "attachment"
HTTP Content-Disposition header and can be exploited to conduct
cross-site scripting attacks.

22) The parental restrictions feature stores the restrictions
passcode in plaintext on disk and can be exploited to disclose the
passcode.

23) An error within UIKit does not properly handle "tel:" URIs and
can be exploited to cause the device to hang by tricking the user
into visiting a malicious website.

24) Some vulnerabilities are caused due to a bundled vulnerable
version of WebKit.

For more information:
SA43519
SA43683
SA43696
SA43859
SA45097
SA45325
SA45325
SA45498
SA45498
SA46339
SA46412

25) The WiFi credentials are stored in a file readable by other
applications, which may lead to the credentials being disclosed.

Successful exploitation of vulnerabilities #6, #16 – #20, and #24 may
allow execution of arbitrary code.

SOLUTION:
Apply iOS 5 Software Update.

PROVIDED AND/OR DISCOVERED BY:
1) Leszek Tasiemski, nSense.
6, 9) Reported by the vendor.

The vendor credits:
2) Rick Deacon
3) Peter Quade, qdevelop
4) Erling Ellingsen, Facebook.
7) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
8) Bob Sielken, IBM
14) Wouter van der Veer, Topicus and Josh Enders
15) Thomas Clement, Intego
17) Tobias Klein via iDefense.
18) Tobias Klein, www.trapkit.de
21) Christian Matthies via iDefense and Yoshinori Oota, Business
Architects via JP/CERT.
22) An anonymous person
23) Simon Young, Anglia Ruskin University
25) Laurent OUDOT, TEHTRI Security

ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4999

nSense:
http://www.nsense.fi/advisories/nsense_2011_006.txt

OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/advisories/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------