Multiple vulnerabilities have been identified in Apple iPhone, which could be exploited by attackers to disclose sensitive information, manipulate certain data, execute arbitrary scripting code, cause a denial of service or take complete control of an affected device.
The first issue is caused by an input validation error in the Bluetooth server when processing Service Discovery Protocol (SDP) packets, which could be exploited by an attacker within Bluetooth range to cause an unexpected application termination or arbitrary code execution.
The second vulnerability is caused by an error in Mail that does not warn the user when the identity of the mail server has changed or cannot be trusted when it is configured to use SSL for incoming and outgoing connections, which could be exploited by an attacker capable of intercepting the connection to impersonate the user's mail server and obtain the user's credentials or certain sensitive information.
The third weakness is caused by an error in Mail that dials phone numbers without confirmation when following telephone ("tel:") links, which could be exploited by an attacker to cause a vulnerable device to place calls without user confirmation.
The fourth issue is caused by a design error in Safari that allows a web page to read the URL that is currently being viewed in its parent window, which may lead to the disclosure of URL contents.
The fifth weakness is caused by an error in Safari that does not properly display the number that will be dialed when processing ("tel:") links, which could be exploited by attackers to cause place arbitrary calls and cause a different number to be displayed during confirmation than the one actually dialed.
The sixth issue is caused by an error in Safari when handling window properties, which could be exploited to conduct cross-site scripting attacks.
The seventh vulnerability is cause by an error in Safari where disabling JavaScript does not take effect until the browser is restarted, which may mislead users into believing that JavaScript is disabled when it is not.
The eigth issue is caused by an error in Safari when handling "frame" tags, which could be exploited to bypass the same-origin policy and conduct cross-domain scripting attacks.
The ninth vulnerability is caused by an error in Safari when handling certain JavaScript events, which could be exploited to conduct cross-site scripting attacks.
The tenth issue is caused by an error in Safari that does not limit access between JavaScript executing in HTTP and HTTPS frames, which could allow content served over HTTP to alter or access content served over HTTPS in the same domain.
Credits
Vulnerabilities reported by John Hering (Flexilis Mobile Security), Andi Baritchi (McAfee), Michal Zalewski (Google), Secunia Research, Billy Hoffman, Bryan Sullivan (HP Security Labs / SPI Labs), Eduardo Tang, and Keigo Yamazaki (LAC Co).
ChangeLog
2007-09-28 : Initial release
Vulnerability Management
Subscribe to FrSIRT VNS and receive real-time e-mail and SMS alerts when new vulnerabilities, exploits, or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form or by email to updates@frsirt.com.
French
