Apple Plugs Critical iPhone Security Holes

Apple has shipped a patch to cover five documented vulnerabilities that expose iPhone and iPod Touch users to malicious hacker attacks. The most serious flaw could allow remote code execution if an iPhone/iPod Touch user opens audio and image files.

Apple has shipped a patch to cover five documented vulnerabilities that expose iPhone and iPod Touch users to malicious hacker attacks. The most serious flaw could allow remote code execution if an iPhone/iPod Touch user opens audio and image files.

Here’s the skinny on the vulnerabilities being patched with this iPhone OS 3.1.3 and iPhone OS 3.1.3 for iPod Touch update:

  • CoreAudio (CVE-2010-0036) — A buffer overflow exists in the handling of mp4 audio files. Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution.
  • ImageIO (CVE-2009-2285) —  A buffer underflow exists in ImageIO’s handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
  • Recovery Mode (CVE-2010-0038) — A memory corruption issue exists in the handling of a certain USB control message. A person with physical access to the device could use this to bypass the passcode and access the user’s data.
  • WebKit (CVE-2009-3384) — Multiple input validation issues exist in WebKit’s handling of FTP directory listings. Accessing a maliciously crafted FTP server may lead to information disclosure, unexpected application termination, or execution of arbitrary code.
  • WebKit (CVE-2009-2841) — When WebKit encounters an HTML 5 Media Element pointing to an external resource, it does not issue a resource load callback to determine if the resource should be loaded. This may result in undesired requests to remote servers. As an example, the sender of an HTML-formatted email message could use this to determine that the message was read.

This iPhone/iPod Touch update is only available through iTunes and will not appear in the software update utility available in Mac and Windows systems.

Suggested articles

Cybersecurity for your growing business
Cybersecurity for your growing business