June
21, 2010 |
February 2, 2010 |
September 9, 2009 |
July 31, 2009 |
June 17, 2009 |
November 20, 2008 |
September 12, 2008 |
July 11, 2008 |
January 15, 2008 |
|
|
|
|
|
|
|
|
|
Application Sandbox |
CoreAudio |
CoreAudio |
CoreTelephony |
CoreGraphics |
CoreGraphics |
Application
Sandbox |
CFNetwork |
Foundation |
CVE-ID: CVE-2010-1751 |
CVE-ID: CVE-2010-0036 |
CVE-ID: CVE-2009-2206 |
CVE-ID: CVE-2009-2204 |
CVE-ID: CVE-2008-3623 |
CVE-ID: CVE-2008-2321 |
CVE-ID: CVE-2008-3631 |
CVE-ID: CVE-2008-0050 |
CVE-ID: CVE-2008-0035 |
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
Available for: iPhone OS 1.0 through 3.1.2, iPhone OS for iPod
touch 1.1 through 3.1.2 |
Available for: iPhone OS 1.0 through 3.0.1, iPhone OS for iPod
touch 1.1 through 3.0 |
Available for: iPhone OS 1.0 through iPhone OS 3.0 |
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod
touch 1.1 through 2.1 |
Available for: iPhone v2.0 through v2.0.2 |
Available for: iPhone v1.0 through v1.1.4, iPod touch v1.1
through v1.1.4 |
Available for: iPhone v1.0 through v1.1.2, iPod touch v1.1
through 1.1.2 |
Impact: An application may be able to infer the user's
location without authorization |
Impact: Playing a maliciously crafted mp4 audio file may lead to
an unexpected application termination or arbitrary code execution |
Impact: Opening a maliciously crafted AAC or MP3 file may lead
to an unexpected application termination or arbitrary code execution |
Impact: Receiving a maliciously crafted SMS message may lead to
an unexpected service interruption or arbitrary code execution |
Impact: Viewing a maliciously crafted image may lead to an
unexpected application termination or arbitrary code execution |
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution |
Impact: An application may be able to read another application's
files |
Impact: A malicious proxy server may spoof secure websites |
Impact: Accessing a maliciously crafted URL may lead to an
application termination or arbitrary code execution |
Description: The Application Sandbox does not prevent
applications from directly accessing the user's photo library. This may allow
an application to determine visited locations without authorization. This
issue is addressed by modifying the Application Sandbox to prevent direct
access to the user's photo library. Credit to Zac White for reporting this
issue. |
Description: A buffer overflow exists in the handling of mp4
audio files. Playing a maliciously crafted mp4 audio file may lead to an
unexpected application termination or arbitrary code execution. This issue is
addressed through improved bounds checking. Credit to Tobias Klein of
trapkit.de for reporting this issue. |
Description: A heap buffer overflow exists in the handling of
AAC or MP3 files. Opening a maliciously crafted AAC or MP3 file may lead to
an unexpected application termination or arbitrary code execution. This
update addresses the issue through improved bounds checking. Credit to Tobias
Klein of trapkit.de for reporting this issue. |
Description: A memory corruption issue exists in the decoding of
SMS messages. Receiving a maliciously crafted SMS message may lead to an
unexpected service interruption or arbitrary code execution. This update
addresses the issue through improved error handling. Credit to Charlie Miller
of Independent Security Evaluators, and Collin Mulliner of Technical
University Berlin for reporting this issue. |
Description: A heap buffer overflow exists in the handling of
color spaces within CoreGraphics. Viewing a maliciously crafted image may
lead to an unexpected application termination or arbitrary code execution.
This update addresses the issue through improved bounds checking. Credit:
Apple. |
Description: CoreGraphics contains memory corruption issues in
the processing of arguments. Passing untrusted input to CoreGraphics via an
application, such as a web browser, may lead to an unexpected application
termination or arbitrary code execution. This update addresses the issue
through improved bounds checking. Credit to Michal Zalewski of Google for
reporting this issue. |
Description: The Application Sandbox does not properly enforce
access restrictions between third-party applications. This may allow a
third-party application to read files in another third-party application's
sandbox, and lead to the disclosure of sensitive information. This update
addresses the issue by enforcing the proper access restrictions between
application sandboxes. Credit to Nicolas Seriot of Sen:te and Bryce Cogswell
for reporting this issue. This issue does not affect iPhone versions prior to
v2.0. |
Description: A malicious HTTPS proxy server may return arbitrary
data to CFNetwork in a 502 Bad Gateway error, which could allow a secure
website to be spoofed. This update addresses the issue by not returning the
proxy-supplied data on an error condition. |
Description: A memory corruption issue exists in Safari's
handling of URLs. By enticing a user to access a maliciously crafted URL, an
attacker may cause an unexpected application termination or arbitrary code
execution. This update addresses the issue by performing additional
validation of URLs. |
|
|
|
|
|
|
|
|
|
CFNetwork |
ImageIO |
Exchange
Support |
|
CoreGraphics |
ImageIO |
CoreGraphics |
Kernel |
Passcode
Lock |
CVE-ID: CVE-2010-1752 |
CVE-ID: CVE-2009-2285 |
CVE-ID: CVE-2009-2794 |
|
CVE-ID:
CVE-2009-0145 |
CVE-ID: CVE-2008-2327 |
CVE-ID: CVE-2008-1806, CVE-2008-1807, CVE-2008-1808 |
CVE-ID: CVE-2008-0177 |
CVE-ID: CVE-2008-0034 |
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
Available for: iPhone OS 1.0 through 3.1.2, iPhone OS for iPod
touch 1.1 through 3.1.2 |
Available for: iPhone OS 1.0 through 3.0.1, iPhone OS for iPod
touch 1.1 through 3.0 |
|
Available
for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 |
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod
touch 1.1 through 2.1 |
Available for: iPhone v1.0 through v2.0.2 |
Available for: iPhone v1.0 through v1.1.4, iPod touch v1.1
through v1.1.4 |
Available for: iPhone v1.0 through v1.1.2 |
Impact: Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution |
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution |
Impact: A person with physical access to a device may be able to
use it after the timeout period specified by an Exchange administrator |
|
Impact:
Opening a maliciously crafted PDF file may lead to an unexpected application
termination or arbitrary code execution |
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution |
Impact: Multiple vulnerabilities in FreeType v2.3.5 |
Impact: A remote attacker may be able to cause an unexpected
device reset |
Impact: An unauthorized user may bypass the Passcode Lock and
launch iPhone applications |
Description: A stack overflow exists in CFNetwork's URL
handling code. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This issue is
addressed through improved memory handling. Credit to Laurent OUDOT of
TEHTRI-Security for reporting this issue. |
Description: A buffer underflow exists in ImageIO's handling of
TIFF images. Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution. This issue is
addressed through improved bounds checking. |
Description: iPhone OS provides the ability to communicate via
services provided by a Microsoft Exchange server. An administrator of an
Exchange server has the ability to specify a "Maximum inactivity time
lock" setting. This requires the user to reenter their passcode after
the expiration of the inactivity time in order to use the Exchange services.
iPhone OS allows a user to specify a "Require Passcode" setting
that may extend up to 4 hours. The "Require Passcode" setting is
not affected by the "Maximum inactivity time lock" setting. If the
user has "Require Passcode" set to a value higher than the
"Maximum inactivity time lock" setting, this would allow a window
of time for a person with physical access to use the device, including
Exchange services. This update addresses the issue by disabling user choices
for "Require Passcode" values greater than the "Maximum
inactivity time lock" setting. This issue only affects iPhone OS 2.0 and
later, and iPhone OS for iPod touch 2.0 and later. Credit to Allan Steven,
Robert Duran, Jeff Beckham of PepsiCo, Joshua Levitsky, Michael Breton of
Intel Corporation, Mike Karban of Edward Jones, and Steve Moriarty of Agilent
Technologies for reporting this issue. |
|
Description:
Multiple memory corruption issues exist in CoreGraphics' handling of PDF
files. Opening a maliciously crafted PDF file may lead to an unexpected
application termination or arbitrary code execution. This update addresses
the issues through improved bounds and error checking. |
Description: Multiple uninitialized memory access issues exist
in libTIFF's handling of LZW-encoded TIFF images. Viewing a maliciously
crafted TIFF image may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issue through proper
memory initialization and additional validation of TIFF images. |
Description: Multiple vulnerabilities exist in FreeType v2.3.5,
the most serious of which may lead to arbitrary code execution when accessing
maliciously crafted font data. This update addresses the issue by
incorporating the security fixes from version 2.3.6 of FreeType. Further
information is available via the FreeType site at http://www.freetype.org/ |
Description: An undetected failure condition exists in the
handling of packets with an IPComp header. Sending a maliciously crafted
packet to a system configured to use IPSec or IPv6 may cause an unexpected
device reset. This update addresses the issue by properly detecting the
failure condition. |
Description: The Passcode Lock feature is designed to prevent
applications from being launched unless the correct passcode is entered. An
implementation issue in the handling of emergency calls allows users with
physical access to an iPhone to launch an application without the passcode.
This update addresses the issue through an improved check on the state of the
Passcode Lock. |
|
|
|
|
|
|
|
|
|
Find
My iPhone |
Recovery
Mode |
MobileMail |
|
CoreGraphics |
ImageIO |
mDNSResponder |
Safari |
Safari |
CVE-ID: CVE-2010-1776 |
CVE-ID: CVE-2010-0038 |
CVE-ID: CVE-2009-2207 |
|
CVE-ID:
CVE-2009-0146, CVE-2009-0147, CVE-2009-0165 |
CVE-ID: CVE-2008-1586 |
CVE-ID: CVE-2008-1447 |
CVE-ID: CVE-2008-1588 |
CVE-ID: CVE-2007-5858 |
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
Available for: iPhone OS 1.0 through 3.1.2, iPhone OS for iPod
touch 1.1 through 3.1.2 |
Available for: iPhone OS 1.0 through 3.0.1, iPhone OS for iPod
touch 1.1 through 3.0 |
|
Available
for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 |
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod
touch 1.1 through 2.1 |
Available for: iPhone v1.0 through v2.0.2 |
Available for: iPhone v1.0 through v1.1.4, iPod touch v1.1
through v1.1.4 |
Available for: iPhone v1.0 through v1.1.2, iPod touch v1.1
through 1.1.2 |
Impact: A device with a MobileMe account configured may be
remotely wiped, even if "Find My iPhone" is disabled |
Impact: A person with physical access to a locked device may be
able to access the user's data |
Impact: Deleted email messages may still be visible through a
Spotlight search |
|
Impact:
Viewing or downloading a PDF file containing a maliciously crafted JBIG2
stream may lead to an unexpected application termination or arbitrary code
execution |
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected device reset |
Impact: mDNSResponder is susceptible to DNS cache poisoning and
may return forged information |
Impact: Unicode ideographic spaces may be used to spoof a
website |
Impact: Visiting a malicious website may result in the
disclosure of sensitive information |
Description: A user may configure their device to use
MobileMe. Individual MobileMe services may be enabled or disabled via the
Settings app. Disabling the "Find My iPhone" service prevents the
device from being located via MobileMe, but does not prevent the phone from
being wiped. An attacker with access to the password of the configured
MobileMe account may be able to wipe the device. This issue is addressed by
disabling remote wipe and message display when the "Find My iPhone"
service is disabled on the device. |
Description: A memory corruption issue exists in the handling of
a certain USB control message. A person with physical access to the device
could use this to bypass the passcode and access the user's data. This issue
is addressed through improved handling of the USB control message. |
Description: Spotlight finds and allows access to deleted
messages in Mail folders on the device. This would allow a person with access
to the device to view the deleted messages. This update addresses the issue
by not including the deleted email in the Spotlight search result. This issue
only affects iPhone OS 3.0, iPhone OS 3.0.1, and iPhone OS for iPod touch
3.0. Credit to Clickwise Software and Tony Kavadias for reporting this issue. |
|
Description:
Multiple heap buffer overflows exist in CoreGraphics' handling of PDF files
containing JBIG2 streams. Viewing or downloading a PDF file containing a
maliciously crafted JBIG2 stream may lead to an unexpected application
termination or arbitrary code execution. This update addresses the issue
through improved bounds checking. Credit to Apple, Alin Rad Pop of Secunia
Research, and Will Dormann of CERT/CC for reporting this issue. |
Description: A memory exhaustion issue exists in the handling of
TIFF images. Viewing a maliciously crafted TIFF image may lead to an
unexpected device reset. This update addresses the issue by limiting the
amount of memory allocated to open a TIFF image. Credit to Sergio 'shadown'
Alvarez of Recurity Labs GmbH for reporting this issue. |
Description: mDNSResponder provides translation between host
names and IP addresses for applications that use its unicast DNS resolution
API. A weakness in the DNS protocol may allow a remote attacker to perform
DNS cache poisoning attacks. As a result, applications that rely on
mDNSResponder for DNS may receive forged information. This update addresses
the issue by implementing source port and transaction ID randomization to
improve resilience against cache poisoning attacks. Credit to Dan Kaminsky of
IOActive for reporting this issue. |
Description: When Safari displays the current URL in the address
bar, Unicode ideographic spaces are rendered. This allows a maliciously
crafted website to direct the user to a spoofed site that visually appears to
be a legitimate domain. This update addresses the issue by not rendering
Unicode ideographic spaces in the address bar. |
Description: WebKit allows a page to navigate the subframes of
any other page. Visiting a maliciously crafted web page could trigger a
cross-site scripting attack, which may lead to the disclosure of sensitive
information. This update addresses the issue by implementing a stricter frame
navigation policy. |
|
|
|
|
|
|
|
|
|
ImageIO |
WebKit |
Recovery
Mode |
|
CoreGraphics |
Networking |
Networking |
Safari |
|
CVE-ID: CVE-2010-0041 |
CVE-ID: CVE-2009-3384 |
CVE-ID: CVE-2009-2795 |
|
CVE-ID:
CVE-2009-0155 |
CVE-ID: CVE-2008-4227 |
CVE-ID: CVE-2008-3612 |
CVE-ID: CVE-2008-1589 |
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
Available for: iPhone OS 1.0 through 3.1.2, iPhone OS for iPod
touch 1.1 through 3.1.2 |
Available for: iPhone OS 1.0 through 3.0.1, iPhone OS for iPod
touch 1.1 through 3.0 |
|
Available
for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 |
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod
touch 1.1 through 2.1 |
Available for: iPhone v1.0 through v2.0.2 |
Available for: iPhone v1.0 through v1.1.4, iPod touch v1.1
through v1.1.4 |
|
Impact: Visiting a maliciously crafted website may result
in sending data from Safari's memory to the website |
Impact: Accessing a maliciously crafted FTP server could result
in an unexpected application termination, information disclosure, or
arbitrary code execution |
Impact: A person with physical access to a locked device may be
able to access the user's data |
|
Impact:
Opening a maliciously crafted PDF file may lead to an unexpected application
termination or arbitrary code execution |
Impact: The encryption level for PPTP VPN connections may be
lower than expected |
Impact: Predictable TCP initial sequence numbers generation may
lead to TCP spoofing or session hijacking |
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information |
|
Description: An uninitialized memory access issue exists in
ImageIO's handling of BMP images. Visiting a maliciously crafted website may
result in sending data from Safari's memory to the website. This issue is
addressed through improved memory initialization and additional validation of
BMP images. Credit to Matthew 'j00ru' Jurczyk of Hispasec for reporting this
issue. |
Description: Multiple input validation issues exist in WebKit's
handling of FTP directory listings. Accessing a maliciously crafted FTP
server may lead to information disclosure, unexpected application
termination, or execution of arbitrary code. This update addresses the issues
through improved parsing of FTP directory listings. Credit to Michal Zalewski
of Google Inc. for reporting these issues. |
Description: A heap buffer overflow exists in Recovery Mode
command parsing. This may allow another person with physical access to the
device to bypass the passcode, and access the user's data. This update
addresses the issue through improved bounds checking. |
|
Description:
An integer underflow in CoreGraphics' handling of PDF files may result in a
heap buffer overflow. Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution. This update
addresses the issue through improved bounds checking. Credit to Barry K.
Nathan for reporting this issue. |
Description: The encryption level for PPTP VPN connections may
revert to a previous lower setting. This update addresses the issue by
properly setting the encryption preferences. Credit to Stephen Butler of the
University of Illinois of Urbana-Champaign for reporting this issue. |
Description: TCP initial sequence numbers are sequentially
generated. Predictable initial sequence numbers may allow a remote attacker
to create a spoofed TCP connection or insert data into an existing TCP
connection. This update addresses the issue by generating random TCP initial
sequence numbers. |
Description: When Safari accesses a website that uses a
self-signed or invalid certificate, it prompts the user to accept or reject
the certificate. If the user presses the menu button while at the prompt,
then on the next visit to the site, the certificate is accepted with no
prompt. This may lead to the disclosure of sensitive information. This update
addresses the issue through improved handling of certificates. Credit to
Hiromitsu Takagi for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
ImageIO |
WebKit |
Telephony |
|
CoreGraphics |
Office
Viewer |
Passcode
Lock |
Safari |
|
CVE-ID: CVE-2010-0042 |
CVE-ID: CVE-2009-2841 |
CVE-ID: CVE-2009-2815 |
|
CVE-ID:
CVE-2009-1179 |
CVE-ID: CVE-2008-4211 |
CVE-ID: CVE-2008-3633 |
CVE-ID: CVE-2008-2303 |
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
Available for: iPhone OS 1.0 through 3.1.2, iPhone OS for iPod
touch 1.1 through 3.1.2 |
Available for: iPhone OS 1.0 through 3.0.1 |
|
Available
for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 |
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod
touch 1.1 through 2.1 |
Available for: iPhone v2.0 through v2.0.2 |
Available for: iPhone v1.0 through v1.1.4, iPod touch v1.1
through v1.1.4 |
|
Impact: Visiting a maliciously crafted website may result
in sending data from Safari's memory to the website |
Impact: Mail may load remote audio and video content when remote
image loading is disabled |
Impact: Receiving a maliciously crafted SMS message may lead to
an unexpected service interruption |
|
Impact:
Opening a maliciously crafted PDF file may lead to an unexpected application
termination or arbitrary code execution |
Impact: Viewing a maliciously crafted Microsoft Excel file may
lead to an unexpected application termination or arbitrary code execution |
Impact: An unauthorized user may bypass the Passcode Lock and
launch iPhone applications |
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution |
|
Description: An uninitialized memory access issue exists in
ImageIO's handling of TIFF images. Visiting a maliciously crafted website may
result in sending data from Safari's memory to the website. This issue is
addressed through improved memory initialization and additional validation of
TIFF images. Credit to Matthew 'j00ru' Jurczyk of Hispasec for reporting this
issue. |
Description: When WebKit encounters an HTML 5 Media Element
pointing to an external resource, it does not issue a resource load callback
to determine if the resource should be loaded. This may result in undesired
requests to remote servers. As an example, the sender of an HTML-formatted
email message could use this to determine that the message was read. This
issue is addressed by generating resource load callbacks when WebKit
encounters an HTML 5 Media Element. |
Description: A null pointer dereference issue exists in the
handling of SMS arrival notifications. Receiving a maliciously crafted SMS
message may lead to an unexpected service interruption. This update addresses
the issue through improved handling of incoming SMS messages. Credit to
Charlie Miller of Independent Security Evaluators, and Collin Mulliner of
Technical University Berlin for reporting this issue. |
|
Description:
An integer overflow in CoreGraphics' handling of PDF files may result in a
heap buffer overflow. Opening a PDF file containing a maliciously crafted
JBIG2 stream may lead to an unexpected application termination or arbitrary
code execution. This update addresses the issue through improved bounds
checking. Credit to Will Dormann of CERT/CC for reporting this issue. |
Description: A signedness issue in Office Viewer's handling of
columns in Microsoft Excel files may result in an out-of-bounds memory
access. Viewing a maliciously crafted Microsoft Excel file may lead to an
unexpected application termination or arbitrary code execution. This update
addresses the issue by ensuring that the affected index values are not
negative. Credit: Apple. |
Description: The Passcode Lock feature is designed to prevent
applications from being launched unless the correct passcode is entered. An
implementation issue in the handling of emergency calls allows users with
physical access to an iPhone to launch an application without the passcode by
double clicking the home button in emergency call. This update addresses the
issue through improved handling of emergency calls. Credit to Matthew Yohe of
The University of Iowa's Department of Electrical and Computer Engineering
for reporting this issue. This issue does not affect iPhone versions prior to
v2.0. |
Description: A signedness issue in Safari's handling of
JavaScript array indices may result in an out-of-bounds memory access.
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution. This update addresses the issue by
performing additional validation of JavaScript array indices. Credit to
SkyLined of Google for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
ImageIO |
|
UIKit |
|
CoreGraphics |
Passcode
Lock |
WebKit |
Safari |
|
CVE-ID: CVE-2010-0043 |
|
CVE-ID:
CVE-2009-2796 |
|
CVE-ID:
CVE-2009-0946 |
CVE-ID: CVE-2008-4228 |
CVE-ID: CVE-2008-3632 |
CVE-ID: CVE-2006-2783 |
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
Available
for: iPhone OS 1.0 through 3.0.1, iPhone OS for iPod touch 1.1 through 3.0 |
|
Available
for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 |
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod
touch 1.1 through 2.1 |
Available for: iPhone v1.0 through v2.0.2 |
Available for: iPhone v1.0 through v1.1.4, iPod touch v1.1
through v1.1.4 |
|
Impact: Processing a maliciously crafted TIFF image may
lead to an unexpected application termination or arbitrary code execution |
|
Impact:
Passwords may be made visible |
|
Impact:
Multiple vulnerabilities in FreeType v2.3.8 |
Impact: Emergency calls are not restricted to emergency numbers |
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution |
Impact: Visiting a maliciously crafted website may lead to
cross-site scripting |
|
Description: A memory corruption issue exists in the
handling of TIFF images. Processing a maliciously crafted TIFF image may lead
to an unexpected application termination or arbitrary code execution. This
issue is addressed through improved memory handling. Credit to Gus Mueller of
Flying Meat for reporting this issue. |
|
Description:
When a character in a password is deleted, and the deletion is undone, the
character is briefly made visible. This may allow a person with physical
access to the device to read a password, one character at a time. This update
addresses the issue by preventing the character from being made visible. This
issue only affects iPhone OS 3.0 and iPhone OS 3.0.1. Credit to Abraham Vegh
for reporting this issue. |
|
Description:
Multiple integer overflows exist in FreeType v2.3.8, which may lead to an
unexpected application termination or arbitrary code execution. This update
addresses the issues through improved bounds checking. Credit to Tavis
Ormandy of the Google Security Team for reporting these issues. |
Description: iPhone provides the ability to make an emergency
call when locked. Currently, an emergency call may be placed to any number. A
person with physical access to an iPhone may take advantage of this feature
to place arbitrary calls which are charged to the iPhone owner. This update
addresses the issue by restricting emergency calls to a limited set of phone
numbers. |
Description: A use-after-free issue exists in WebKit's handling
of CSS import statements. Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution. This
update addresses the issue through improved handling of document references. |
Description: Safari ignores Unicode byte order mark sequences
when parsing web pages. Certain websites and web content filters attempt to
sanitize input by blocking specific HTML tags. This approach to filtering may
be bypassed and lead to cross-site scripting when encountering
maliciously-crafted HTML tags containing byte order mark sequences. This
update addresses the issue through improved handling of byte order mark
sequences. Credit to Chris Weber of Casaba Security, LLC for reporting this
issue. |
|
|
|
|
|
|
|
|
|
|
ImageIO |
|
WebKit |
|
Exchange |
Passcode
Lock |
|
Safari |
|
CVE-ID: CVE-2010-1753 |
|
CVE-ID:
CVE-2009-2797 |
|
CVE-ID: CVE-2009-0958 |
CVE-ID: CVE-2008-4229 |
|
CVE-ID:
CVE-2008-2307 |
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
Available
for: iPhone OS 1.0 through 3.0.1, iPhone OS for iPod touch 1.1 through 3.0 |
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod
touch 1.1 through 2.1 |
|
Available
for: iPhone v1.0 through v1.1.4, iPod touch v1.1 through v1.1.4 |
|
Impact: Processing a maliciously crafted JPEG image may
lead to an unexpected application termination or arbitrary code execution |
|
Impact:
User names and passwords in URLs may be disclosed to linked sites |
|
Impact: Connecting to a malicious Exchange server may lead to
the disclosure of sensitive information |
Impact: Restoring a device from backup may not re-enable the
Passcode Lock |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
Description: A memory corruption issue exists in the
handling of JPEG images. Processing a maliciously crafted JPEG image may lead
to an unexpected application termination or arbitrary code execution. This
issue is addressed through improved memory handling. Credit to Ladd Van Tol
of Critical Path Software for reporting this issue. |
|
Description:
Safari includes the user name and password from the original URL in the
referer header. This may lead to the disclosure of sensitive information.
This update addresses the issue by not including user names and passwords in
referer headers. Credit to James A. T. Rice of Jump Networks Ltd for
reporting this issue. |
|
Description: Accepting an untrusted Exchange server certificate
results in storing an exception on a per-hostname basis. On the next visit to
an Exchange server contained in the exception list, its certificate is
accepted with no prompt and validation. This may lead to the disclosure of
credentials or application data. This update addresses the issue through
improved handling of untrusted certificate exceptions. Credit to FD of
Securus Global for reporting this issue. |
Description: The Passcode Lock feature is designed to prevent
applications from being launched unless the correct passcode is entered. A
race condition in the handling of device settings may cause the Passcode Lock
to be removed when the device is restored from backup. This may allow a
person with physical access to the device to launch applications without the
passcode. This update addresses the issue by improving the system's ability
to recognize missing preferences. This issue does not affect systems prior to
iPhone OS 2.0 or iPhone OS for iPod touch 2.0. Credit to Nolen Scaife for
reporting this issue. |
|
Description:
A memory corruption issue exists in WebKit's handling of JavaScript arrays.
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution. This update addresses the issue
through improved bounds checking. Credit to James Urquhart for reporting this
issue. |
|
|
|
|
|
|
|
|
|
|
LibSystem |
|
WebKit |
|
ImageIO |
Passcode
Lock |
|
Safari |
|
CVE-ID: CVE-2009-0689 |
|
CVE-ID:
CVE-2009-1725 |
|
CVE-ID: CVE-2009-0040 |
CVE-ID: CVE-2008-4230 |
|
CVE-ID:
CVE-2008-2317 |
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
Available
for: iPhone OS 1.0 through 3.0.1, iPhone OS for iPod touch 1.1 through 3.0 |
|
Impact: Processing a maliciously crafted PNG image may lead to
an unexpected application termination or arbitrary code execution |
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod
touch 1.1 through 2.1 |
|
Available
for: iPhone v1.0 through v1.1.4, iPod touch v1.1 through v1.1.4 |
|
Impact: Applications that convert untrusted data between
binary floating point and text may be vulnerable to an unexpected application
termination or arbitrary code execution |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
Description: An uninitialized pointer issue exists in the
handling of PNG images. Processing a maliciously crafted PNG image may lead
to an unexpected application termination or arbitrary code execution. This
update addresses the issue through additional validation of PNG images.
Credit to Tavis Ormandy of Google Security Team for reporting this issue. |
Impact: Short Message Service (SMS) messages may be revealed
before the passcode is entered |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
Description: A buffer overflow exists in the floating point
binary to text conversion code within Libsystem. An attacker who can cause an
application to convert a floating point value into a long string, or to parse
a maliciously crafted string as a floating point value, may be able to cause
an unexpected application termination or arbitrary code execution. This issue
is addressed through improved bounds checking. Credit to Maksymilian
Arciemowicz of SecurityReason.com for reporting this issue. |
|
Description:
A memory corruption issue exists in WebKit's handling of numeric character
references. Visiting a maliciously crafted website may lead to an unexpected
application termination or arbitrary code execution. This update addresses
the issue through improved handling of numeric character references. Credit
to Chris Evans for reporting this issue. |
|
Description: An uninitialized pointer issue exists in the
handling of PNG images. Processing a maliciously crafted PNG image may lead
to an unexpected application termination or arbitrary code execution. This
update addresses the issue through additional validation of PNG images.
Credit to Tavis Ormandy of Google Security Team for reporting this issue. |
Description: If an SMS message arrives while the emergency call
screen is visible, the entire SMS message is displayed, even if the
"Show SMS Preview" preference was set to "OFF". This
update addresses the issue by, in this situation, displaying only a
notification that a SMS message has arrived, and not its content. |
|
Description:
A memory corruption issue exists in WebCore's handling of style sheet
elements. Visiting a maliciously crafted website may lead to an unexpected
application termination or arbitrary code execution. This update addresses
the issue through improved garbage collection. Credit to an anonymous
researcher working with the TippingPoint Zero Day Initiative for reporting
this issue. |
|
|
|
|
|
|
|
|
|
|
libxml |
|
WebKit |
|
International
Components for Unicode |
Safari |
|
Safari |
|
CVE-ID: CVE-2009-2414, CVE-2009-2416 |
|
CVE-ID:
CVE-2009-1724 |
|
CVE-ID: CVE-2009-0153 |
CVE-ID: CVE-2008-4231 |
|
CVE-ID:
CVE-2007-6284 |
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
Available
for: iPhone OS 1.0 through 3.0.1, iPhone OS for iPod touch 1.1 through 3.0 |
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod
touch 1.1 through 2.1 |
|
Available
for: iPhone v1.0 through v1.1.4, iPod touch v1.1 through v1.1.4 |
|
Impact: Parsing maliciously crafted XML content may lead to
an unexpected application termination |
|
Impact:
Visiting a maliciously crafted website may lead to a cross-site scripting
attack |
|
Impact: Maliciously crafted content may bypass website filters
and result in cross-site scripting |
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution |
|
Impact:
Processing an XML document may lead to a denial of service |
|
Description: Multiple use after free issues exist in
libxml2, the most serious of which may lead to an unexpected application
termination. The issues are addressed through improved memory handling.
Credit to Rauli Kaksonen and Jukka Taimisto from the CROSS project at
Codenomicon Ltd. for reporting these issues. |
|
Description:
An issue in WebKit's handling of the parent and top objects may result in a
cross-site scripting attack when visiting a maliciously crafted website. This
update addresses the issue through improved handling of parent and top
objects. |
|
Description: An implementation issue exists in ICU's handling of
certain character encodings. Using ICU to convert invalid byte sequences to
Unicode may result in over-consumption, where trailing bytes are considered
part of the original character. This may be leveraged by an attacker to
bypass filters on websites that attempt to mitigate cross-site scripting.
This update addresses the issue through improved handling of invalid byte
sequences. Credit to Chris Weber of Casaba Security for reporting this issue. |
Description: A memory corruption issue exists in the handling of
HTML table elements. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This update
addresses the issue through improved handling of HTML table elements. Credit
to Haifei Li of Fortinet's FortiGuard Global Security Research Team for
reporting this issue. |
|
Description:
A memory consumption issue exists in the handling of XML documents containing
invalid UTF-8 sequences, which may lead to a denial of service. This update
addresses the issue by updating the libxml2 system library to version 2.6.16. |
|
|
|
|
|
|
|
|
|
|
Passcode
Lock |
|
WebKit |
|
IPSec |
Safari |
|
Safari |
|
CVE-ID: CVE-2010-1754 |
|
CVE-ID: CVE-2009-2199 |
|
CVE-ID: CVE-2008-3651, CVE-2008-3652 |
CVE-ID: CVE-2008-4232 |
|
CVE-ID: CVE-2008-1767 |
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
Available for: iPhone OS 1.0 through 3.0.1, iPhone OS for iPod
touch 1.1 through 3.0 |
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod
touch 1.1 through 2.1 |
|
Available for: iPhone v1.0 through v1.1.4, iPod touch v1.1
through v1.1.4 |
|
Impact: Remote Lock via MobileMe may not be effective in
preventing access |
|
Impact: Look-alike characters in a URL could be used to
masquerade a website |
|
Impact: Multiple vulnerabilities in the racoon daemon may lead
to a denial of service |
Impact: Websites with embedded iframe elements may be vulnerable
to user interface spoofing |
|
Impact: Processing an XML document may lead to an unexpected
application termination or arbitrary code execution |
|
Description: If the device is unlocked in response to an
alert, such as receiving a text message or voicemail, and MobileMe is then
used to Remote Lock the device, then the next unlock of the device will have
the passcode already entered. A person with physical access to the device
will not require the passcode in this situation. This issue is addressed by
properly clearing the passcode. Credit to Sidney San Martin of DeepTech, Inc.
for reporting this issue. |
|
Description: The International Domain Name (IDN) support and
Unicode fonts embedded in Safari could be used to create a URL which contains
look-alike characters. These could be used in a malicious website to direct
the user to a spoofed site that visually appears to be a legitimate domain.
This update addresses the issue by supplementing WebKit's list of known
look-alike characters. Look-alike characters are rendered in Punycode in the
address bar. Credit to Chris Weber of Casaba Security, LLC for reporting this
issue. |
|
Description: Multiple memory leaks exist in the racoon daemon in
ipsec-tools before 0.7.1, which may lead to a denial of service. This update
addresses the issues through improved memory management. |
Description: Safari allows an iframe element to display content
outside its boundaries, which may lead to user interface spoofing. This
update addresses the issue by not allowing iframe elements to display content
outside their boundaries. This issue does not affect systems prior to iPhone
OS 2.0 or iPhone OS for iPod touch 2.0. Credit to John Resig of Mozilla
Corporation for reporting this issue. |
|
Description: A memory corruption issue exists in the libxslt
library. Viewing a maliciously crafted HTML page may lead to an unexpected
application termination or arbitrary code execution. Further information on
the patch applied is available via the xmlsoft.org website
http://xmlsoft.org/XSLT/ Credit to Anthony de Almeida Lopes of Outpost24 AB,
and Chris Evans of Google Security Team for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
Passcode
Lock |
|
|
|
libxml |
Safari |
|
WebKit |
|
CVE-ID: CVE-2010-1775 |
|
|
|
CVE-ID: CVE-2008-3281, CVE-2008-3529, CVE-2008-4409,
CVE-2008-4225, CVE-2008-4226 |
CVE-ID: CVE-2008-4233 |
|
CVE-ID: CVE-2008-1590 |
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod
touch 1.1 through 2.1 |
|
Available for: iPhone v1.0 through v1.1.4, iPod touch v1.1
through v1.1.4 |
|
Impact: A person with physical access to a device may be
able to access the user's data |
|
|
|
Impact: Multiple vulnerabilities in libxml2 version 2.6.16 |
Impact: Visiting a maliciously crafted website may initiate a
phone call without user interaction |
|
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution |
|
Description: A device with a passcode set may only be
paired with a computer if the device is unlocked. A race condition permits
pairing for a short period after the initial boot, if the device was unlocked
before powering down. If the device was shut down from a locked state, this
issue does not occur. This issue is addressed through improved checking for
the locked state. |
|
|
|
Description: Multiple vulnerabilities in libxml2 version 2.6.16,
the most serious of which may lead to an unexpected application termination
or arbitrary code execution. This update addresses the issue by updating the
libxml2 system library to version 2.7.3. |
Description: If an application is launched via Safari
while a call approval dialog is shown, the call will be placed. This may
allow a maliciously crafted website to initiate a phone call without user
interaction. Additionally, under certain circumstances it may be possible for
a maliciously crafted website to block the user's ability to cancel dialing
for a short period of time. This update addresses the issue by properly
dismissing Safari's call approval dialog when an application is being launched
via Safari. Credit to Collin Mulliner of Fraunhofer SIT for reporting this
issue. |
|
Description: A memory corruption issue exists in
JavaScriptCore's handling of runtime garbage collection. Visiting a
maliciously crafted website may lead to an unexpected application termination
or arbitrary code execution. This update addresses the issue through improved
garbage collection. Credit to Itzik Kotler and Jonathan Rom of Radware for
reporting this issue. |
|
|
|
|
|
|
|
|
|
|
Safari |
|
|
|
Mail |
Webkit |
|
WebKit |
|
CVE-ID: CVE-2010-1755 |
|
|
|
CVE-ID: CVE-2009-0960 |
CVE-ID: CVE-2008-3644 |
|
CVE-ID: CVE-2008-1025 |
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod
touch 1.1 through 2.1 |
|
Available for: iPhone v1.0 through v1.1.4, iPod touch v1.1
through v1.1.4 |
|
Impact: Cookies may be set by third-party sites even when
the Accept Cookies preference is set to "From visited" or
"Never" |
|
|
|
Impact: Users do not have control over the loading of remote
images in HTML messages |
Impact: Sensitive information may be disclosed to a person with
physical access to an unlocked device |
|
Impact: Accessing a maliciously crafted URL may result in
cross-site scripting |
|
Description: An implementation issue exists in the handling
of cookie preferences. Cookie preferences are not applied until Safari is
restarted. Cookies may be set by third-party sites even when the Accept
Cookies preference is set to "From visited" or "Never".
This issue is addressed by applying the Accept Cookies preference. Credit to
Jason Dent o Street Side Software for reporting this issue. |
|
|
|
Description: Mail does not provide a preference to turn off the
automatic loading of remote images. Opening an HTML email containing a remote
image will automatically request it. The server hosting a remote image can
determine that the email was read, and the network address of the device.
This update addresses the issue by adding a preference to turn off the
automatic loading of remote images. Credit to Ronald C.F. Antony of Cubiculum
Systems, Stefan Seiz of ERNI Electronics GmbH, Oskar Lissheim-Boethius of
iPhone development house OLB Productions, Meyer Consulting, Oliver Quas,
Christian Schmitz of MonkeybreadSoftware, Thomas Adams of TynTec, Aviv Raff
of aviv.raffon.net, and Collin Mulliner of Fraunhofer SIT for reporting this
issue. |
Description: Disabling autocomplete on a form field may not
prevent the data in the field from being stored in the browser page cache.
This may lead to the disclosure of sensitive information to a person with
physical access to an unlocked device. This update addresses the issue by
properly clearing the form data. Credit to an anonymous researcher for
reporting this issue. |
|
Description: An issue exists in WebKit's handling of URLs
containing a colon character in the host name. Accessing a maliciously
crafted URL may lead to a cross-site scripting attack. This update addresses
the issue through improved handling of URLs. Credit to Robert Swiecki of the
Google Security Team, and David Bloom for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
Safari |
|
|
|
Mail |
|
|
WebKit |
|
CVE-ID: CVE-2010-1384 |
|
|
|
CVE-ID: CVE-2009-0961 |
|
|
CVE-ID: CVE-2008-1026 |
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
Available for: iPhone v1.0 through v1.1.4, iPod touch v1.1
through v1.1.4 |
|
Impact: A maliciously crafted URL may be obfuscated, making
phishing attacks more effective |
|
|
|
Impact: An application that causes an alert to apear may
initiate a phone call without user interaction |
|
|
Impact: Viewing a maliciously crafted web page may lead to an
unexpected application termination or arbitrary code execution |
|
Description: Safari supports the inclusion of user
information in URLs, which allows the URL to specify a username and password
to authenticate the user to the named server. These URLs are often used to
confuse users, which can potentially aid phishing attacks. Safari is updated
to display a warning before navigating to an HTTP or HTTPS URL containing
user information. Credit to Abhishek Arya of Google, Inc. for reporting this
issue. |
|
|
|
Description: If an application causes an alert to apear while
Mail's call approval dialog is shown, the call will be placed without user
interaction. This update addresses the issue by not dismissing the call
approval dialog when other alerts appear. Credit to Collin Mulliner of
Fraunhofer SIT for reporting this issue. |
|
|
Description: A heap buffer overflow exists in WebKit's handling
of JavaScript regular expressions. The issue may be triggered via JavaScript
when processing regular expressions with large, nested repetition counts.
This may lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue by performing additional
validation of JavaScript regular expressions. Credit to Charlie Miller of
Independent Security Evaluators for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
Safari |
|
|
|
MPEG-4
Video Codec |
|
|
|
|
CVE-ID: CVE-2009-1723 |
|
|
|
CVE-ID: CVE-2009-0959 |
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
Impact: A maliciously crafted website may control the
displayed website URL while a certificate warning is displayed |
|
|
|
Impact: Viewing a maliciously crafted MPEG-4 video file may lead
to an unexpected device reset |
|
|
|
|
Description: When Safari reaches a website via a 302
redirection and a certificate warning is displayed, the URL bar will contain
the original website URL instead of the current website URL. This may allow a
maliciously crafted website that is reached via an open redirector on a
user-trusted website to control the displayed website URL while a certificate
warning is displayed. This issue is addressed by returning the correct URL in
the underlying CFNetwork layer. Credit to Kevin Day of Your.Org, and Jason
Mueller of Indiana University for reporting this issue. |
|
|
|
Description: An input validation issue exists in the handling of
MPEG-4 video files. Viewing a maliciously crafted MPEG-4 video file may lead
to an unexpected device reset. This update addresses the issue through
improved handling of MPEG-4 video files. Credit to Si Brindley for reporting
this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
Settings |
|
|
|
Profiles |
|
|
|
|
CVE-ID: CVE-2010-1756 |
|
|
|
CVE-ID: CVE-2009-1679 |
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
Impact: A user may be misled as to the actual operational
wireless network |
|
|
|
Impact: Installing a configuration profile may weaken the
passcode policy defined by Exchange ActiveSync |
|
|
|
|
Description: A design issue exists in the Settings
application. When connected a hidden wireless network, the Settings
application may incorrectly indicate another wireless network. This issue is
addressed by properly displaying the active wireless network. Credit to
Wilfried Teiken for reporting this issue. |
|
|
|
Description: An issue in the handling of configuration profiles
may allow a weaker passcode policy to overwrite the passcode policy already
set via Exchange ActiveSync. This may allow a person with physical access to
the device to bypass the passcode policy set via Exchange ActiveSync. This
update addresses the issue through improved handling of configuration
profiles. |
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
Safari |
|
|
|
|
CVE-ID: CVE-2009-2195 |
|
|
|
CVE-ID: CVE-2009-1680 |
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution |
|
|
|
Impact: Clearing Safari's history via the Settings application
does not prevent disclosure of the search history to a person with physical
access to the device |
|
|
|
|
Description: A buffer overflow exists in WebKit's parsing
of floating point numbers. Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution. The issue
is addressed through improved bounds checking. Credit: Apple. |
|
|
|
Description: Clearing Safari's history via the Settings
application does not reset the search history. In this case, another person
with physical access to the device may be able to view the search history.
This update addresses the issue by removing the search history when Safari's
history is cleared via the Settings application. Credit to Joshua Belsky for
reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
Safari |
|
|
|
|
CVE-ID: CVE-2009-2816 |
|
|
|
CVE-ID: CVE-2009-1681 |
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
Impact: Visiting a maliciously crafted website may result in
unexpected actions on other websites |
|
|
|
Impact: Interacting with a maliciously crafted website may
result in unexpected actions on other sites |
|
|
|
|
Description: An issue exists in WebKit's implementation of
Cross-Origin Resource Sharing. Before allowing a page from one origin to
access a resource in another origin, WebKit sends a preflight request to the
latter server for access to the resource. WebKit includes custom HTTP headers
specified by the requesting page in the preflight request. This can
facilitate cross-site request forgery. This issue is addressed by removing
custom HTTP headers from preflight requests. Credit: Apple. |
|
|
|
Description: A design issue exists in the same-origin policy
mechanism used to limit interactions between websites. This policy allows
websites to load pages from third-party websites into a subframe. This frame
may be positioned to entice the user to click a particular element within the
frame, an attack referred to as "clickjacking". A maliciously
crafted website may be able to manipulate a user into taking an unexpected
action, such as initiating a purchase. This update addresses the issue through
adoption of the industry-standard 'X-Frame-Options' extension header, that
allows individual web pages to opt out of being displayed within a subframe. |
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
Telephony |
|
|
|
|
CVE-ID: CVE-2010-0544 |
|
|
|
CVE-ID: CVE-2009-1683 |
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
Impact: Visiting a maliciously crafted website may result in a
cross-site scripting attack |
|
|
|
Impact: A remote attacker may cause an unexpected device reset |
|
|
|
|
Description: An issue in Webkit's handling of malformed
URLs may result in a cross-site scripting attack when visiting a maliciously
crafted website. This issue is addressed through improved handling of URLs.
Credit to Michal Zalewski of Google, Inc. for reporting this issue. |
|
|
|
Description: A logic issue in the handling of ICMP echo request
packets may cause an assertion to be triggered. By sending a maliciously
crafted ICMP echo request packet, a remote attacker may be able to cause an
unexpected device reset. This update addresses the issue by removing the
assertion. Credit to Masaki Yoshida for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
WebKit |
|
|
|
|
CVE-ID: CVE-2010-1395 |
|
|
|
CVE-ID: CVE-2008-2320 |
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
Impact: Visiting a malicious site may lead to a cross-site
scripting attack |
|
|
|
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution |
|
|
|
|
Description: A scope management issue exists in WebKit's
handling of event objects. Visiting a malicious site may lead to a cross-site
scripting attack. This issue is addressed through improved handling of event
objects. Credit to Gianni "gf3" Chiappetta of Runlevel6 for
reporting this issue. |
|
|
|
Description: A memory corruption issue exists in WebKit's
handling of invalid color strings in Cascading Style Sheets. Visiting a
maliciously crafted website may lead to an unexpected application termination
or arbitrary code execution. This update addresses the issue through improved
sanitization of color strings. Credit to Thomas Raffetseder of the
International Secure Systems Lab for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
WebKit |
|
|
|
|
CVE-ID: CVE-2010-0051 |
|
|
|
CVE-ID: CVE-2009-0945 |
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information |
|
|
|
Impact: Visiting a maliciously crafted website may lead to
arbitrary code execution |
|
|
|
|
Description: An implementation issue exists in WebKit's
handling of cross-origin stylesheet requests. Visiting a maliciously crafted
website may disclose the content of protected resources on another website.
This issue is addressed by performing additional validation on stylesheets
that are loaded during a cross-origin request. |
|
|
|
Description: A memory corruption issue exists in WebKit's
handling of SVGList objects. Visiting a maliciously crafted website may lead
to arbitrary code execution. This update addresses the issue through improved
bounds checking. Credit to Nils working with TippingPoint's Zero Day
Initiative for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
WebKit |
|
|
|
|
CVE-ID: CVE-2010-1390 |
|
|
|
CVE-ID: CVE-2009-1684 |
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
Impact: Visiting a website using UTF-7 encoding may lead to a
cross-site scripting attack |
|
|
|
Impact: Visiting a maliciously crafted website may result in
cross-site scripting |
|
|
|
|
Description: A canonicalization issue exists in WebKit's
handling of UTF-7 encoded text. An HTML quoted string may be left
unterminated, leading to a cross-site scripting attack or other issues. This
issue is addressed by removing support for UTF-7 encoding in WebKit. Credit
to Masahiro Yamada for reporting this issue. |
|
|
|
Description: A cross-site scripting issue exists in the
separation of JavaScript contexts. A maliciously crafted web page may use an
event handler to execute a script in the security context of the next web
page that is loaded in its window or frame. This update addresses the issue
by ensuring that event handlers are not able to directly affect an
in-progress page transition. Credit to Michal Zalewski of Google Inc. for
reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
WebKit |
|
|
|
|
CVE-ID: CVE-2010-0047 |
|
|
|
CVE-ID: CVE-2009-1685 |
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution |
|
|
|
Impact: Visiting a maliciously crafted website may result in
cross-site scripting |
|
|
|
|
Description: A use-after-free issue exists in the handling
of HTML object element fallback content. Visiting a maliciously crafted
website may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved memory reference
tracking. Credit to wushi of team509, working with TippingPoint's Zero Day
Initiative for reporting this issue. |
|
|
|
Description: A cross-site scripting issue exists in the
separation of JavaScript contexts. By enticing a user to visit a maliciously
crafted web page, the attacker may overwrite the 'document.implementation' of
an embedded or parent document served from a different security zone. This
update addresses the issue by ensuring that changes to
'document.implementation' do not affect other documents. Credit to Dean
McNamee of Google Inc. for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
WebKit |
|
|
|
|
CVE-ID: CVE-2010-0053 |
|
|
|
CVE-ID: CVE-2009-1686 |
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution |
|
|
|
Impact: Visiting a maliciously crafted website may lead to
arbitrary code execution |
|
|
|
|
Description: A use-after-free issue exists in the rendering
of content with a CSS display property set to 'run-in'. Visiting a
maliciously crafted website may lead to an unexpected application termination
or arbitrary code execution. This issue is addressed through improved memory
reference tracking. Credit to wushi of team509, working with TippingPoint's
Zero Day Initiative for reporting this issue. |
|
|
|
Description: A type conversion issue exists in WebKit's
JavaScript exception handling. When an attempt is made to assign the
exception to a variable that is declared as a constant, an object is cast to
an invalid type, causing memory corruption. Visiting a maliciously crafted
website may lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue by ensuring that assignment in a
const declaration writes to the variable object. Credit to Jesse Ruderman of
Mozilla Corporation for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
WebKit |
|
|
|
|
CVE-ID: CVE-2010-0050 |
|
|
|
CVE-ID: CVE-2009-1687 |
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution |
|
|
|
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution |
|
|
|
|
Description: A use-after-free issue exists in WebKit's
handling of incorrectly nested HTML tags. Visiting a maliciously crafted
website may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved memory reference
tracking. Credit to wushi&Z of team509 working with TippingPoint's Zero
Day Initiative for reporting this issue. |
|
|
|
Description: A memory corruption issue exists in WebKit's
JavaScript garbage collector implementation. If an allocation fails, a memory
write to an offset of a NULL pointer may result, leading to an unexpected
application termination or arbitrary code execution. This update addresses
the issue by checking for allocation failure. Credit to SkyLined of Google
Inc. for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
WebKit |
|
|
|
|
CVE-ID: CVE-2010-1406 |
|
|
|
CVE-ID: CVE-2009-1688, CVE-2009-1689 |
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
Impact: Visiting an HTTPS site which redirects to an HTTP site
may lead to an information disclosure |
|
|
|
Impact: Visiting a maliciously crafted website may result in a
cross-site scripting attack |
|
|
|
|
Description: When WebKit is redirected from an HTTPS site
to an HTTP site, the Referer header is passed to the HTTP site. This can lead
to the disclosure of sensitive information contained in the URL of the HTTPS
site. This issue is addressed by not passing the Referer header when an HTTPS
site redirects to an HTTP site. Credit to Colin Percival of Tarsnap for
reporting this issue. |
|
|
|
Description: Multiple issues in WebKit's handling of javascript
objects may lead to a cross-site scripting attack. This update addresses the
issues through improved handling of cross-site interaction with javascript
objects. Credit to Adam Barth of UC Berkeley, and Collin Jackson of Stanford
University for reporting these issues. |
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
WebKit |
|
|
|
|
CVE-ID: CVE-2010-0048 |
|
|
|
CVE-ID: CVE-2009-1690 |
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution |
|
|
|
Impact: Visiting a maliciously crafted website may result in an
unexpected application termination or arbitrary code execution |
|
|
|
|
Description: A use-after-free issue exists in WebKit's
parsing of XML documents. Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution. This issue
is addressed through improved memory reference tracking. |
|
|
|
Description: A memory corruption issue exists in WebKit's
handling of recursion in certain DOM event handlers. Visiting a maliciously
crafted website may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issue through improved
memory management. Credit to SkyLined of Google Inc. for reporting this
issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
WebKit |
|
|
|
|
CVE-ID: CVE-2010-0046 |
|
|
|
CVE-ID: CVE-2009-1691 |
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution |
|
|
|
Impact: Visiting a maliciously crafted website may lead to
cross-site scripting |
|
|
|
|
Description: A memory corruption issue exists in WebKit's
handling of CSS format() arguments. Visiting a maliciously crafted website
may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved handling of CSS format()
arguments. Credit to Robert Swiecki of Google Inc. for reporting this issue. |
|
|
|
Description: A cross-site scripting issue in Safari allows a
maliciously crafted website to alter standard JavaScript prototypes of
websites served from a different domain. By enticing a user to visit a
maliciously crafted web page, an attacker may be able to alter the execution
of JavaScript served from other websites. This update addresses the issue
through improved access controls on these prototypes. |
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
WebKit |
|
|
|
|
CVE-ID: CVE-2010-0052 |
|
|
|
CVE-ID: CVE-2009-1692 |
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution |
|
|
|
Impact: Visiting a maliciously crafted website may lead to an
unexpected device reset |
|
|
|
|
Description: A use-after-free issue exists in WebKit's
handling of callbacks for HTML elements. Visiting a maliciously crafted
website may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved memory reference
tracking. Credit: Apple. |
|
|
|
Description: A memory consumption issue exists in the handling
of HTMLSelectElement objects. Visiting a maliciously crafted webpage
containing an HTMLSelectElement with a very large length attribute may lead
to an unexpected device reset. This update addresses the issue through
improved handling of HTMLSelectElement objects. Credit to Thierry Zoller of
G-SEC (www.g-sec.lu) for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
WebKit |
|
|
|
|
CVE-ID: CVE-2010-1397 |
|
|
|
CVE-ID: CVE-2009-1693 |
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution |
|
|
|
Impact: Visiting a maliciously crafted website may disclose
images from other sites |
|
|
|
|
Description: A use after free issue exists in WebKit's
rendering of a selection when the layout changes. Visiting a maliciously
crafted website may lead to an unexpected application termination or
arbitrary code execution. This issue is addressed through improved handling
of selections. Credit to wushi&Z of team509, working with TippingPoint's
Zero Day Initiative for reporting this issue. |
|
|
|
Description: A cross-site image capture issue exists in WebKit.
By using a canvas with an SVG image, a maliciously crafted website may load
and capture an image from another website. This update addresses the issue by
restricting the reading of canvases that have images loaded from other
websites. Credit to Chris Evans of Google Inc. for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
WebKit |
|
|
|
|
CVE-ID: CVE-2010-0049 |
|
|
|
CVE-ID: CVE-2009-1694 |
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution |
|
|
|
Impact: Visiting a maliciously crafted website may disclose
images from other sites |
|
|
|
|
Description: A use-after-free issue exists in the handling
of HTML elements containing right-to-left displayed text. Visiting a
maliciously crafted website may lead to an unexpected application termination
or arbitrary code execution. This issue is addressed through improved memory
reference tracking. Credit to wushi&Z of team509 for reporting this
issue. |
|
|
|
Description: A cross-site image capture issue exists in WebKit.
By using a canvas and a redirect, a maliciously crafted website may load and
capture an image from another website. This update addresses the issue
through improving the handling of redirects. Credit to Chris Evans of for
reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
WebKit |
|
|
|
|
CVE-ID: CVE-2010-1393 |
|
|
|
CVE-ID: CVE-2009-1695 |
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to an
information disclosure |
|
|
|
Impact: Visiting a maliciously crafted website may result in a
cross-site scripting attack |
|
|
|
|
Description: An information disclosure issue exists in
WebKit's handling of Cascading Stylesheets. If a stylesheet's HREF attribute
is set to a URL that causes a redirection, scripts on the page may be able to
access the redirected URL. Visiting a maliciously crafted website may lead to
the disclosure of sensitive URLs on another site. This issue is addressed by
returning the original URL to scripts, rather than the redirected URL. |
|
|
|
Description: An issue in WebKit allows the contents of a frame
to be accessed by an HTML document after a page transition has taken place.
This may allow a maliciously crafted website to perform a cross-site
scripting attack. This update addresses the issue through an improved domain
check. Credit to Feng Qian of Google Inc. for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
WebKit |
|
|
|
|
CVE-ID: CVE-2010-0054 |
|
|
|
CVE-ID: CVE-2009-1696 |
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution |
|
|
|
Impact: Websites may surreptitiously track users |
|
|
|
|
Description: A use-after-free issue exists in WebKit's
handling of HTML image elements. Visiting a maliciously crafted website may
lead to an unexpected application termination or arbitrary code execution.
This issue is addressed through improved memory reference tracking. Credit:
Apple. |
|
|
|
Description: Safari generates random numbers for JavaScript
applications using a predictable algorithm. This could allow a website to
track a particular Safari session without using cookies, hidden form
elements, IP addresses, or other techniques. This update addresses the issue
by using a better random number generator. Credit to Amit Klein of Trusteer
for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
WebKit |
|
|
|
|
CVE-ID: CVE-2010-1119 |
|
|
|
CVE-ID: CVE-2009-1697 |
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution |
|
|
|
Impact: Visiting a maliciously crafted website may result in a
cross-site scripting attack |
|
|
|
|
Description: A use after free issue exists in WebKit's
handling of attribute manipulation. Visiting a maliciously crafted website
may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved memory reference
tracking. Credit to Vincenzo Iozzo and Ralf Philipp Weinmann working with
TippingPoint's Zero Day Initiative, and Michal Zalewski of Google, Inc., for
reporting this issue. |
|
|
|
Description: A CRLF injection issue exists in the handling of
XMLHttpRequest headers in WebKit. This may allow a malicious website to
bypass the same-origin policy by issuing an XMLHttpRequest that does not
contain a Host header. XMLHttpRequests without a Host header may reach other
websites on the same server, and allow attacker-supplied JavaScript to
interact with those sites. This update addresses the issue through improved
handling of XMLHttpRequest headers. Credit to Per von Zweigbergk for reporting
this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
WebKit |
|
|
|
|
CVE-ID: CVE-2010-1387 |
|
|
|
CVE-ID: CVE-2009-1698 |
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution |
|
|
|
Impact: Viewing a maliciously crafted web page may lead to an
unexpected application termination or arbitrary code execution |
|
|
|
|
Description: A use after free issue exists in
JavaScriptCore during page transitions. Visiting a maliciously crafted
website may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved memory management. |
|
|
|
Description: An uninitialized pointer issue exists in the
handling of the CSS 'attr' function. Viewing a maliciously crafted web page
may lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue through additional validation of
CSS elements. Credit to Thierry Zoller working with TippingPoint's Zero Day
Initiative, and Robert Swiecki of the Google Security Team for reporting this
as a security issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
WebKit |
|
|
|
|
CVE-ID: CVE-2010-1400 |
|
|
|
CVE-ID: CVE-2009-1699 |
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution |
|
|
|
Impact: Visiting a maliciously crafted website may result in an
information disclosure |
|
|
|
|
Description: A use after free issue exists in WebKit's
handling of caption elements. Visiting a maliciously crafted website may lead
to an unexpected application termination or arbitrary code execution. This
issue is addressed through improved handling of caption elements. Credit to
regenrecht working with iDefense for reporting this issue. |
|
|
|
Description: An XML External Entity issue exists in WebKit's
handling of XML. Visiting a maliciously crafted website may result in the
website being able to read files from the user's system. This update
addresses the issue by not loading external entities across origins. Credit
to Chris Evans of Google Inc. for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
WebKit |
|
|
|
|
CVE-ID: CVE-2010-1409 |
|
|
|
CVE-ID: CVE-2009-1700 |
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
Impact: Visiting a maliciously crafted website may allow
remotely specified data to be sent to an IRC server |
|
|
|
Impact: Visiting a maliciously crafted website may result in the
disclosure of sensitive information |
|
|
|
|
Description: Common IRC service ports are not included in
WebKit's port blacklist. Visiting a maliciously crafted website may allow
remotely specified data to be sent to an IRC server. This may cause the
server to take unintended actions on the user's behalf. This issue is
addressed by adding the affected ports to WebKit's port blacklist. |
|
|
|
Description: WebKit does not properly handle redirects when
processing Extensible Stylesheet Language Transformations (XSLT). This allows
a maliciously crafted website to retrieve XML content from pages on other
websites, which could result in the disclosure of sensitive information. This
update addresses the issue by ensuring that documents referenced in
transformations are downloaded from the same domain as the transformation
itself. Credit to Chris Evans of Google Inc. for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
WebKit |
|
|
|
|
CVE-ID: CVE-2010-1398 |
|
|
|
CVE-ID: CVE-2009-1701 |
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution |
|
|
|
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution |
|
|
|
|
Description: A memory corruption issue exists in WebKit's
handling of ordered list insertions. Visiting a maliciously crafted website
may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved handling of list
insertions. Credit to wushi of team509, working with TippingPoint's Zero Day
Initiative for reporting this issue. |
|
|
|
Description: A use-after-free issue exists in WebKit's handling
of the JavaScript DOM. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This update
addresses the issue through improved handling of document elements. Credit to
wushi & ling of team509 working with TippingPoint's Zero Day Initiative
for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
WebKit |
|
|
|
|
CVE-ID: CVE-2010-1402 |
|
|
|
CVE-ID: CVE-2009-1702 |
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution |
|
|
|
Impact: Visiting a malicious website may lead to a cross-site
scripting attack |
|
|
|
|
Description: A double free issue exists in WebKit's
handling of event listeners in SVG images. Visiting a maliciously crafted
website may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved handling of SVG images.
Credit to wushi of team509, working with TippingPoint's Zero Day Initiative
for reporting this issue. |
|
|
|
Description: An issue in WebKit's handling of Location and
History objects may result in a cross-site scripting attack when visiting a
malicious website. This update addresses the issue through improved handling
of Location and History objects. Credit to Adam Barth and Joel Weinberger of
UC Berkeley for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
|
|
|
|
|
CVE-ID: CVE-2010-1394 |
|
|
|
|
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to a
cross-site scripting attack |
|
|
|
|
|
|
|
|
Description: A design issue exists in WebKit's handling of
HTML document fragments. The contents of HTML document fragments are
processed before a fragment is actually added to a document. Visiting a
maliciously crafted website could lead to a cross-site scripting attack if a
legitimate website attempts to manipulate a document fragment containing
untrusted data. This issue is addressed by ensuring that initial fragment
parsing has no side effects on the document that created the fragment. Credit
to Eduardo Vela Nava (sirdarckcat) of Google Inc. for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
|
|
|
|
|
CVE-ID: CVE-2010-1399 |
|
|
|
|
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution |
|
|
|
|
|
|
|
|
Description: An uninitialized memory access issue exists in
WebKit's handling of selection changes on form input elements. Visiting a
maliciously crafted website may lead to an unexpected application termination
or arbitrary code execution. This issue is addressed through improved
handling of selections. Credit to wushi of team509, working with
TippingPoint's Zero Day Initiative for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
|
|
|
|
|
CVE-ID: CVE-2010-1396 |
|
|
|
|
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution |
|
|
|
|
|
|
|
|
Description: A use after free issue exists in WebKit's
handling of the removal of container elements. Visiting a maliciously crafted
website may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved memory reference
tracking. Credit to wushi of team509, working with TippingPoint's Zero Day
Initiative for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
|
|
|
|
|
CVE-ID: CVE-2010-1401 |
|
|
|
|
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution |
|
|
|
|
|
|
|
|
Description: A use after free issue exists in WebKit's
handling of the ':first-letter' pseudo-element in cascading stylesheets.
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution. This issue is addressed through
improved handling of the ':first-letter' pseudo-element. Credit to wushi of
team509, working with TippingPoint's Zero Day Initiative for reporting this
issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
|
|
|
|
|
CVE-ID: CVE-2010-1403 |
|
|
|
|
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution |
|
|
|
|
|
|
|
|
Description: An uninitialized memory access issue exists in
WebKit's handling of malformed XML when rendering SVG images. Visiting a
maliciously crafted website may lead to an unexpected application termination
or arbitrary code execution. This issue is addressed through improved
handling of SVG images. Credit to wushi of team509, working with
TippingPoint's Zero Day Initiative, for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
|
|
|
|
|
CVE-ID: CVE-2010-1404 |
|
|
|
|
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution |
|
|
|
|
|
|
|
|
Description: A use after free issue exists in WebKit's
handling of SVG images with multiple 'use' elements. Visiting a maliciously
crafted website may lead to an unexpected application termination or
arbitrary code execution. This issue is addressed through improved handling
of 'use' elements in SVG images. Credit to wushi of team509, working with
TippingPoint's Zero Day Initiative for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
|
|
|
|
|
CVE-ID: CVE-2010-1410 |
|
|
|
|
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution |
|
|
|
|
|
|
|
|
Description: A memory corruption issue exists in WebKit's
handling of malformed XML in SVG images. Visiting a maliciously crafted
website may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved handling of XML in SVG
images. Credit to Aki Helin of OUSPG for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
|
|
|
|
|
CVE-ID: CVE-2010-1391 |
|
|
|
|
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
Impact: Visiting a maliciously crafted website may cause files
to be created in arbitrary user-writable locations |
|
|
|
|
|
|
|
|
Description: A path traversal issue exists in WebKit's
support for Local Storage and Web SQL databases. If accessed from an
application-defined scheme containing '%2f' (/) or '%5c' (\) and '..' in the
host section of the URL, a maliciously crafted website may cause database
files to be created outside of the designated directory. This issue is
addressed by encoding characters that may have special meaning in pathnames.
This issue does not affect sites served from http: or https: schemes. Credit:
Apple. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
|
|
|
|
|
CVE-ID: CVE-2010-1408 |
|
|
|
|
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
Impact: Visiting a maliciously crafted website may result in
sending remotely specified data to arbitrary TCP ports |
|
|
|
|
|
|
|
|
Description: An integer truncation issue exists in WebKit's
handling of requests to non-default TCP ports. Visiting a maliciously crafted
website may result in sending remotely specified data to arbitrary TCP ports.
This issue is addressed by ensuring that port numbers are within the valid
range. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
|
|
|
|
|
CVE-ID: CVE-2010-1392 |
|
|
|
|
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution |
|
|
|
|
|
|
|
|
Description: A use after free issue exists in WebKit's
rendering of HTML buttons. Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution. This issue
is addressed through improved memory management. Credit to Matthieu Bonetti
of VUPEN Vulnerability Research Team for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
|
|
|
|
|
CVE-ID: CVE-2010-1405 |
|
|
|
|
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution |
|
|
|
|
|
|
|
|
Description: A use after free issue exists in WebKit's
handling of HTML elements with custom vertical positioning. Visiting a
maliciously crafted website may lead to an unexpected application termination
or arbitrary code execution. This issue is addressed through improved memory
reference tracking. Credit to Ojan Vafai of Google Inc. for reporting this
issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
|
|
|
|
|
CVE-ID: CVE-2010-1407 |
|
|
|
|
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
Impact: Visiting a maliciously crafted website may result in an
information disclosure |
|
|
|
|
|
|
|
|
Description: An information disclosure issue exists in
WebKit's handling of the 'history.replaceState' method. Within an iframe,
calls to replaceState affect the parent frame even if the parent is in a
separate origin. Visiting a maliciously crafted website may result in an
information disclosure. This issue is addressed by restricting the operation
of replaceState calls to the current frame. Credit to Darin Fisher of Google
Inc. for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
|
|
|
|
|
CVE-ID: CVE-2010-1757 |
|
|
|
|
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
Impact: Websites with embedded iframe elements may be vulnerable
to user interface spoofing |
|
|
|
|
|
|
|
|
Description: Safari allows an iframe element to display
content outside its boundaries, which may lead to user interface spoofing.
This issue is addressed by not allowing iframe elements to display content
outside their boundaries. Credit to Wayne Pan of AdMob, Inc. for reporting
this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
|
|
|
|
|
CVE-ID: CVE-2010-1413 |
|
|
|
|
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
Impact: A user's NTLM credentials may be exposed to a man in the
middle attacker |
|
|
|
|
|
|
|
|
Description: In certain circumstances, WebKit may send NTLM
credentials in plain text. This would allow a man in the middle attacker to
view the NTLM credentials. This issue is addressed through improved handling
of NTLM credentials. Credit: Apple. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
|
|
|
|
|
CVE-ID: CVE-2010-1389 |
|
|
|
|
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
Impact: Dragging or pasting a selection may lead to a cross-site
scripting attack |
|
|
|
|
|
|
|
|
Description: Dragging or pasting a selection from one site
to another may allow scripts contained in the selection to be executed in the
context of the new site. This issue is addressed through additional
validation of content before a paste or a drag and drop operation. Credit to
Paul Stone of Context Information Security for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
|
|
|
|
|
CVE-ID: CVE-2010-0544 |
|
|
|
|
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
Impact: Visiting a maliciously crafted website may result in a
cross-site scripting attack |
|
|
|
|
|
|
|
|
Description: An issue in Webkit's handling of malformed
URLs may result in a cross-site scripting attack when visiting a maliciously
crafted website. This issue is addressed through improved handling of URLs.
Credit to Michal Zalewski of Google, Inc. for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
|
|
|
|
|
CVE-ID: CVE-2010-1417 |
|
|
|
|
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution |
|
|
|
|
|
|
|
|
Description: A memory corruption issue exists in WebKit's
rendering of CSS-styled HTML content with multiple :after pseudo-selectors.
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution. This issue is addressed through
improved rendering of HTML content. Credit to wushi of team509 for reporting
this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
|
|
|
|
|
CVE-ID: CVE-2010-1414 |
|
|
|
|
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution |
|
|
|
|
|
|
|
|
Description: A use after free issue exists in WebKit's
handling of the removeChild DOM method. Visiting a maliciously crafted
website may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved handling of child element
removal. Credit to Mark Dowd of Azimuth Security for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
|
|
|
|
|
CVE-ID: CVE-2010-1418 |
|
|
|
|
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to a
cross-site scripting attack |
|
|
|
|
|
|
|
|
Description: An input validation issue exists in WebKit's
handling of the src attribute of the frame element. An attribute with a
javascript scheme and leading spaces is considered valid. Visiting a
maliciously crafted website could lead to a cross-site scripting attack. This
update addresses the issue by properly validating frame.src before the URL is
dereferenced. Credit to Sergey Glazunov for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
|
|
|
|
|
CVE-ID: CVE-2010-1416 |
|
|
|
|
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
Impact: Visiting a maliciously crafted website may disclose
images from other sites |
|
|
|
|
|
|
|
|
Description: A cross-site image capture issue exists in
WebKit. By using a canvas with an SVG image pattern, a maliciously crafted
website may load and capture an image from another website. This issue is
addressed by restricting the reading of canvases that contain patterns loaded
from other websites. Credit to Chris Evans of Google Inc. for reporting this
issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
|
|
|
|
|
CVE-ID: CVE-2010-1415 |
|
|
|
|
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution |
|
|
|
|
|
|
|
|
Description: An API abuse issue exists in WebKit's handling
of libxml contexts. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This issue is
addressed through improved handling of libxml context objects. Credit to Aki
Helin of OUSPG for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
|
|
|
|
|
CVE-ID: CVE-2010-1758 |
|
|
|
|
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution |
|
|
|
|
|
|
|
|
Description: A use after free issue exists in WebKit's
handling of DOM Range objects. Visiting a maliciously crafted website may
lead to an unexpected application termination or arbitrary code execution.
This issue is addressed through improved handling of DOM Range objects.
Credit to Yaar Schnitman of Google Inc. for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
|
|
|
|
|
CVE-ID: CVE-2010-1759 |
|
|
|
|
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution |
|
|
|
|
|
|
|
|
Description: A use after free issue exists in WebKit's
handling of the Node.normalize method. Visiting a maliciously crafted website
may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved handling of the
Node.normalize method. Credit to Mark Dowd for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
|
|
|
|
|
CVE-ID: CVE-2010-1761 |
|
|
|
|
|
|
|
|
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac
OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X
Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later |
|
|
|
|
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution |
|
|
|
|
|
|
|
|
Description: A use after free issue exists in WebKit�s
rendering of HTML document subtrees. Visiting a maliciously crafted website
may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved rendering of HTML
document subtrees. Credit to James Robinson of Google Inc. for reporting this
issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
|
|
|
|
|
CVE-ID: CVE-2010-1762 |
|
|
|
|
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to a
cross-site scripting attack |
|
|
|
|
|
|
|
|
Description: A design issue exists in the handling of HTML
contained in textarea elements. Visiting a maliciously crafted website may
lead to a cross-site scripting attack. This issue is addressed through
improved validation of textarea elements. Credit to Eduardo Vela Nava
(sirdarckcat) of Google Inc. for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
|
|
|
|
|
CVE-ID: CVE-2010-1769 |
|
|
|
|
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution |
|
|
|
|
|
|
|
|
Description: An out of bounds memory access issue exists in
WebKit's handling of tables. Visiting a maliciously crafted website may lead
to an unexpected application termination or arbitrary code execution. This
issue is addressed through improved bounds checking. Credit to wushi of
team509 for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
WebKit |
|
|
|
|
|
|
|
|
CVE-ID: CVE-2010-1774 |
|
|
|
|
|
|
|
|
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and
later, iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
Impact: Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution |
|
|
|
|
|
|
|
|
Description: An out of bounds memory access issue exists in
WebKit's handling of HTML tables. Visiting a maliciously crafted website may
lead to an unexpected application termination or arbitrary code execution.
This issue is addressed through improved bounds checking. Credit to wushi of
team509 for reporting this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|