Multiple vulnerabilities have been identified in Apple iPhone and iPod touch, which could be exploited by remote attackers to disclose sensitive information, spoof certain data, cause a denial of service or compromise a vulnerable device.
The first issue is caused by an error in CFNetwork when processing 502 Bad Gateway error data returned by a malicious HTTPS proxy server, which could allow a secure website to be spoofed.
The second weakness is caused by an undetected failure condition in Kernel when handling packets with an IPComp header. For additional information, see : FrSIRT/ADV-2008-0567
The third issue is caused by an error in Safari when rendering Unicode ideographic spaces while displaying the current URL in the address bar, which could be exploited to spoof arbitrary domains.
The fourth weakness is caused by an error in Safari when accessing a website that uses a self-signed or invalid certificate, which may lead to the disclosure of sensitive information.
The fifth vulnerability is caused by a signedness error in Safari's handling of JavaScript array indices, which may lead to an unexpected application termination or arbitrary code execution.
The sixth issue is caused by an input validation error in Safari when handling specially crafted HTML tags containing byte order mark sequences, which may lead to cross-site scripting.
The seventh vulnerability is caused by a memory corruption error in WebKit's handling of JavaScript arrays, which could be exploited to crash Safari or execute arbitrary code.
The eighth issue is caused by a memory corruption error in WebCore's handling of style sheet elements, which could be exploited to crash Safari or execute arbitrary code.
The ninth weakness is caused by a memory consumption error in the handling of XML documents containing invalid UTF-8 sequences, which may lead to a denial of service. For additional information, see : FrSIRT/ADV-2008-0117
The tenth vulnerability is caused by a memory corruption error in the libxslt library when handling malformed HTML data, which could be exploited to crash Safari or execute arbitrary code.
The eleventh issue is caused by a memory corruption error in JavaScriptCore's handling of runtime garbage collection, which could be exploited to crash a vulnerable application or execute arbitrary code.
The twelfth vulnerability is caused by an input validation error in WebKit when handling URLs containing a colon character in the host name, which could be exploited to conduct cross site scripting attacks.
The thirteenth issue is caused by a heap buffer overflow in WebKit's handling of JavaScript regular expressions, which may lead to an unexpected application termination or arbitrary code execution.
Credits
Vulnerabilities reported by Hiromitsu Takagi, SkyLined (Google), Chris Weber (Casaba Security), James Urquhart, Peter Vreudegnhil, ZDI, Anthony de Almeida Lopes (Outpost24 AB), Chris Evans (Google Security Team), Itzik Kotler and Jonathan Rom (Radware), Robert Swiecki (Google Security Team), David Bloom, and Charlie Miller (Independent Security Evaluators).
ChangeLog
2008-07-14 : Initial release
Vulnerability Management
Subscribe to FrSIRT VNS and receive real-time e-mail and SMS alerts when new vulnerabilities, exploits, or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form or by email to updates@frsirt.com.
French
