----------------------------------------------------------------------

The final version of the CSI 6.0 has been released. 
Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/

----------------------------------------------------------------------

TITLE:
Apple iOS Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA50586

VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/50586/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=50586

RELEASE DATE:
2012-09-20

DISCUSS ADVISORY:
http://secunia.com/advisories/50586/#comments

AVAILABLE ON SITE AND IN CUSTOMER AREA:
 * Last Update
 * Popularity
 * Comments
 * Criticality Level
 * Impact
 * Where
 * Solution Status
 * Operating System / Software
 * CVE Reference(s)

http://secunia.com/advisories/50586/

ONLY AVAILABLE IN CUSTOMER AREA:
 * Authentication Level
 * Report Reliability
 * Secunia PoC
 * Secunia Analysis
 * Systems Affected
 * Approve Distribution
 * Remediation Status
 * Secunia CVSS Score
 * CVSS

https://ca.secunia.com/?page=viewadvisory&vuln_id=50586

ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
 * AUTOMATED SCANNING

http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/

DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious, local users to disclose system information
and gain escalated privileges, by malicious people to disclose
potentially sensitive information, conducts spoofing attacks, and
compromise a user's device, and by malicious people with physical
access to disclose potentially sensitive information and bypass
certain security restrictions.

1) An error in CFNetwork when handling certain URLs can be exploited
to submit data to an incorrect hostname.

2) Some vulnerabilities exist in the bundled version of FreeType.

For more information:
SA48268

3) An error in CoreMedia when processing Sorenson encoded movies can
be exploited to dereference uninitialized memory.

4) An error in DHCP when connection to WiFi networks may disclose a
MAC address of previously accessed networks via DNAv4 protocol.

5) ImageIO bundles a vulnerable version of LibTIFF library.

For more information:
SA43593
SA48684

6) ImageIO bundles a vulnerable version of libpng library.

For more information:
SA46148
SA48026
SA48587

7) An double-free error exists in ImageIO when processing JPEG
images.

8) An error in International Components for Unicode when handling
locale IDs can be exploited to cause a stack-based buffer overflow.

9) A boundary error in IPSec when loading racoon configuration files
can be exploited to cause a buffer overflow.

10) An error in the kernel when handling packet filter IOCTLs can be
exploited to dereference an invalid pointer.

11) An error in the kernel when related to BPF interpreter can be
exploited to disclose certain memory content.

12) Some vulnerabilities exist in the bundled version of libxml
library.

For more information:
SA44711
SA46632

13) An error in Mail when handling attachments can be exploited to
disclose a unintended attachments via the "Content-ID" field.

14) An error in Mail within Data Protection on attachments can be
exploited to access an attachment without a passcode.

15) An error in Mail when processing S/MIME signed messages does not
display the correct identity of a signer and can be exploited to
spoof an identity via the "From" field.

16) An error in Messages when multiple email addresses are used may
result in replies being sent using the wrong address.

17) An error in Office Viewer when processing document files may
result in data being stored in temporary files in a decrypted state
even when data protection / encryption is enabled.

18) An error in OpenGL when performing GLSL compilation can be
exploited to corrupt memory.

19) An error in Passcode Lock related to "Slide to Power Off" slider
may disclose the last used third party application.

20) An error in Passcode Lock related to termination of FaceTime
calls may allow bypassing the screen lock.

21) An error in Passcode Lock related to lock screen photos may
disclose all photos accessible at the lock screen.

22) An error in Passcode Lock related to Emergency Dialer screen may
allow making FaceTime calls and disclose user's contacts.

23) An error in Passcode Lock related to the camera usage may allow
bypassing the screen lock.

24) An error in Passcode Lock related lock state management may allow
bypassing the screen lock.

25) An error in Restrictions during purchase transactions may result
in transaction being made without the Appled ID credentials.

26) An error in Safari when handling certain Unicode characters may
allow spoofing the lock icon in the page title.

27) An error in Safari when handling password input elements with a
disabled "autocomplete" attribute allowed the input to be
autocompleted.

28) An error in System Logs due to weak restrictions on the
"/var/log" directory can be exploited by sandboxed applications to
disclose log details.

29) An error in Telephony did not properly display the return address
of SMS messages.

30) An off-by-one error in Telephony when handling SMS data headers
can be exploited to disable cellular activity.

31) An error in UIKit within UIWebView may result in unencrypted
files being stored even when a passcode is enabled.

32) Multiple vulnerabilities exist in WebKit.

For more information:
SA46594
SA47231
SA47694
SA47938
SA48016
SA48265
SA48274
SA48512
SA48618
SA48732
SA48992
SA49194
SA49277
SA49724
SA49906
SA50058

SOLUTION:
Upgrade to iOS 6 via Software Update.

PROVIDED AND/OR DISCOVERED BY:
8, 28) Reported by the vendor.

The vendor also credits:
1) Erling Ellingsen, Facebook
3) Will Dormann, CERT/CC
4) Mark Wuergler, Immunity, Inc.
7) Phil, PKJE Consulting
9, 10) iOS Jailbreak Dream Team
11) Dan Rosenberg
13) Angelo Prado, salesforce.com Product Security Team
14) Stephen Prairie, Travelers Insurance, Erich Stuntebeck of
AirWatch
15) Anonymous person
16) Rodney S. Foley, Gnomesoft, LLC
17) Salvatore Cataudella, Open Systems Technologies
19) Chris Lawrence, DBB
20, 24) Ian Vitek, 2Secure AB
21, 22) Ade Barkah, BlueWax Inc.
23) Sebastian Spanninger, Austrian Federal Computing Centre (BRZ)
25) Kevin Makens, Redwood High School
26) Boku Kihara, Lepidum
27) Dan Poltawski, Moodle
29, 30) pod2g
31) Ben Smith, Box

ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT5503

OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/advisories/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------