Apple iOS 4 deals with 60+ vulnerabilities
Apple iOS 4 released yesterday didn’t just bring eye candy, new functionality and bug fixes. This major update addressed more than 60 vulnerabilities, outlined below.
Application Sandbox
The Application Sandbox does not prevent applications from directly accessing the user’s photo library. This may allow an application to determine visited locations without authorization. This issue is addressed by modifying the Application Sandbox to prevent direct access to the user’s photo library.
CFNetwork
A stack overflow exists in CFNetwork’s URL handling code. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory handling.
ImageIO
An uninitialized memory access issue exists in ImageIO’s handling of BMP images. Visiting a maliciously crafted website may result in sending data from Safari’s memory to the website. This issue is addressed through improved memory initialization and additional validation of BMP images.
An uninitialized memory access issue exists in ImageIO’s handling of TIFF images. Visiting a maliciously crafted website may result in sending data from Safari’s memory to the website. This issue is addressed through improved memory initialization and additional validation of TIFF images.
A memory corruption issue exists in the handling of TIFF images. Processing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory handling.
A memory corruption issue exists in the handling of JPEG images. Processing a maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory handling.
LibSystem
A buffer overflow exists in the floating point binary to text conversion code within Libsystem. An attacker who can cause an application to convert a floating point value into a long string, or to parse a maliciously crafted string as a floating point value, may be able to cause an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking.
libxml
Multiple use after free issues exist in libxml2, the most serious of which may lead to an unexpected application termination. The issues are addressed through improved memory handling.
Passcode Lock
If the device is unlocked in response to an alert, such as receiving a text message or voicemail, and MobileMe is then used to Remote Lock the device, then the next unlock of the device will have the passcode already entered. A person with physical access to the device will not require the passcode in this situation. This issue is addressed by properly clearing the passcode.
A device with a passcode set may only be paired with a computer if the device is unlocked. A race condition permits pairing for a short period after the initial boot, if the device was unlocked before powering down. If the device was shut down from a locked state, this issue does not occur. This issue is addressed through improved checking for the locked state.
Safari
An implementation issue exists in the handling of cookie preferences. Cookie preferences are not applied until Safari is restarted. Cookies may be set by third-party sites even when the Accept Cookies preference is set to “From visited” or “Never”. This issue is addressed by applying the Accept Cookies preference.
Safari supports the inclusion of user information in URLs, which allows the URL to specify a username and password to authenticate the user to the named server. These URLs are often used to confuse users, which can potentially aid phishing attacks. Safari is updated to display a warning before navigating to an HTTP or HTTPS URL containing user information.
When Safari reaches a website via a 302 redirection and a certificate warning is displayed, the URL bar will contain the original website URL instead of the current website URL. This may allow a maliciously crafted website that is reached via an open redirector on a user-trusted website to control the displayed website URL while a certificate warning is displayed. This issue is addressed by returning the correct URL in the underlying CFNetwork layer.
Settings
A design issue exists in the Settings application. When connected a hidden wireless network, the Settings application may incorrectly indicate another wireless network. This issue is addressed by properly displaying the active wireless network.
WebKit
A buffer overflow exists in WebKit’s parsing of floating point numbers. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. The issue is addressed through improved bounds checking.
An issue exists in WebKit’s implementation of Cross-Origin Resource Sharing. Before allowing a page from one origin to access a resource in another origin, WebKit sends a preflight request to the latter server for access to the resource. WebKit includes custom HTTP headers specified by the requesting page in the preflight request. This can facilitate cross-site request forgery. This issue is addressed by removing custom HTTP headers from preflight requests.
An issue in Webkit’s handling of malformed URLs may result in a cross-site scripting attack when visiting a maliciously crafted website. This issue is addressed through improved handling of URLs.
A scope management issue exists in WebKit’s handling of event objects. Visiting a malicious site may lead to a cross-site scripting attack. This issue is addressed through improved handling of event objects. Credit to Gianni “gf3” Chiappetta of Runlevel6 for reporting this issue.
An implementation issue exists in WebKit’s handling of cross-origin stylesheet requests. Visiting a maliciously crafted website may disclose the content of protected resources on another website. This issue is addressed by performing additional validation on stylesheets that are loaded during a cross-origin request.
A canonicalization issue exists in WebKit’s handling of UTF-7 encoded text. An HTML quoted string may be left unterminated, leading to a cross-site scripting attack or other issues. This issue is addressed by removing support for UTF-7 encoding in WebKit.
A use-after-free issue exists in the handling of HTML object element fallback content. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking.
A use-after-free issue exists in the rendering of content with a CSS display property set to ‘run-in’. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking.
A use-after-free issue exists in WebKit’s handling of incorrectly nested HTML tags. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking.
When WebKit is redirected from an HTTPS site to an HTTP site, the Referer header is passed to the HTTP site. This can lead to the disclosure of sensitive information contained in the URL of the HTTPS site. This issue is addressed by not passing the Referer header when an HTTPS site redirects to an HTTP site.
A use-after-free issue exists in WebKit’s parsing of XML documents. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking.
A memory corruption issue exists in WebKit’s handling of CSS format() arguments. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of CSS format() arguments.
A use-after-free issue exists in WebKit’s handling of callbacks for HTML elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking.
A use after free issue exists in WebKit’s rendering of a selection when the layout changes. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of selections.
A use-after-free issue exists in the handling of HTML elements containing right-to-left displayed text. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking.
An information disclosure issue exists in WebKit’s handling of Cascading Stylesheets. If a stylesheet’s HREF attribute is set to a URL that causes a redirection, scripts on the page may be able to access the redirected URL. Visiting a maliciously crafted website may lead to the disclosure of sensitive URLs on another site. This issue is addressed by returning the original URL to scripts, rather than the redirected URL.
A use-after-free issue exists in WebKit’s handling of HTML image elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
A use after free issue exists in WebKit’s handling of attribute manipulation. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking.
A use after free issue exists in JavaScriptCore during page transitions. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory management.
A use after free issue exists in WebKit’s handling of caption elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of caption elements.
Common IRC service ports are not included in WebKit’s port blacklist. Visiting a maliciously crafted website may allow remotely specified data to be sent to an IRC server. This may cause the server to take unintended actions on the user’s behalf. This issue is addressed by adding the affected ports to WebKit’s port blacklist.
A memory corruption issue exists in WebKit’s handling of ordered list insertions. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of list insertions.
A double free issue exists in WebKit’s handling of event listeners in SVG images. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of SVG images.
A design issue exists in WebKit’s handling of HTML document fragments. The contents of HTML document fragments are processed before a fragment is actually added to a document. Visiting a maliciously crafted website could lead to a cross-site scripting attack if a legitimate website attempts to manipulate a document fragment containing untrusted data. This issue is addressed by ensuring that initial fragment parsing has no side effects on the document that created the fragment.
An uninitialized memory access issue exists in WebKit’s handling of selection changes on form input elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of selections.
A use after free issue exists in WebKit’s handling of the removal of container elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking.
A use after free issue exists in WebKit’s handling of the ‘:first-letter’ pseudo-element in cascading stylesheets. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of the ‘:first-letter’ pseudo-element.
An uninitialized memory access issue exists in WebKit’s handling of malformed XML when rendering SVG images. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of SVG images.
A use after free issue exists in WebKit’s handling of SVG images with multiple ‘use’ elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of ‘use’ elements in SVG images.
A memory corruption issue exists in WebKit’s handling of malformed XML in SVG images. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of XML in SVG images.
A path traversal issue exists in WebKit’s support for Local Storage and Web SQL databases. If accessed from an application-defined scheme containing ‘%2f’ (/) or ‘%5c’ () and ‘..’ in the host section of the URL, a maliciously crafted website may cause database files to be created outside of the designated directory. This issue is addressed by encoding characters that may have special meaning in pathnames. This issue does not affect sites served from http: or https: schemes.
An integer truncation issue exists in WebKit’s handling of requests to non-default TCP ports. Visiting a maliciously crafted website may result in sending remotely specified data to arbitrary TCP ports. This issue is addressed by ensuring that port numbers are within the valid range.
A use after free issue exists in WebKit’s rendering of HTML buttons. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory management.
A use after free issue exists in WebKit’s handling of HTML elements with custom vertical positioning. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking.
An information disclosure issue exists in WebKit’s handling of the ‘history.replaceState’ method. Within an iframe, calls to replaceState affect the parent frame even if the parent is in a separate origin. Visiting a maliciously crafted website may result in an information disclosure. This issue is addressed by restricting the operation of replaceState calls to the current frame.
Safari allows an iframe element to display content outside its boundaries, which may lead to user interface spoofing. This issue is addressed by not allowing iframe elements to display content outside their boundaries.
In certain circumstances, WebKit may send NTLM credentials in plain text. This would allow a man in the middle attacker to view the NTLM credentials. This issue is addressed through improved handling of NTLM credentials.
Dragging or pasting a selection from one site to another may allow scripts contained in the selection to be executed in the context of the new site. This issue is addressed through additional validation of content before a paste or a drag and drop operation.
An issue in Webkit’s handling of malformed URLs may result in a cross-site scripting attack when visiting a maliciously crafted website. This issue is addressed through improved handling of URLs.
A memory corruption issue exists in WebKit’s rendering of CSS-styled HTML content with multiple :after pseudo-selectors. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved rendering of HTML content.
A use after free issue exists in WebKit’s handling of the removeChild DOM method. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of child element removal.
An input validation issue exists in WebKit’s handling of the src attribute of the frame element. An attribute with a javascript scheme and leading spaces is considered valid. Visiting a maliciously crafted website could lead to a cross-site scripting attack. This update addresses the issue by properly validating frame.src before the URL is dereferenced.
A cross-site image capture issue exists in WebKit. By using a canvas with an SVG image pattern, a maliciously crafted website may load and capture an image from another website. This issue is addressed by restricting the reading of canvases that contain patterns loaded from other websites.
An API abuse issue exists in WebKit’s handling of libxml contexts. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of libxml context objects.
A use after free issue exists in WebKit’s handling of DOM Range objects. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of DOM Range objects.
A use after free issue exists in WebKit’s handling of the Node.normalize method. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of the Node.normalize method.
A use after free issue exists in WebKit’s rendering of HTML document subtrees. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved rendering of HTML document subtrees.
A design issue exists in the handling of HTML contained in textarea elements. Visiting a maliciously crafted website may lead to a cross-site scripting attack. This issue is addressed through improved validation of textarea elements.
An out of bounds memory access issue exists in WebKit’s handling of tables. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking.