| September
8, 2010 |
August 11, 2010 |
June 21, 2010 |
February 2, 2010 |
September 9, 2009 |
July 31, 2009 |
June 17, 2009 |
November 20, 2008 |
September 12, 2008 |
July 11, 2008 |
January 15, 2008 |
| |
|
|
|
|
|
|
|
|
|
|
| Accessibility |
FreeType |
Application Sandbox |
CoreAudio |
CoreAudio |
CoreTelephony |
CoreGraphics |
CoreGraphics |
Application
Sandbox |
CFNetwork |
Foundation |
| CVE-ID: CVE-2010-1809 |
CVE-ID: CVE-2010-1797 |
CVE-ID: CVE-2010-1751 |
CVE-ID: CVE-2010-0036 |
CVE-ID: CVE-2009-2206 |
CVE-ID: CVE-2009-2204 |
CVE-ID: CVE-2008-3623 |
CVE-ID: CVE-2008-2321 |
CVE-ID: CVE-2008-3631 |
CVE-ID: CVE-2008-0050 |
CVE-ID: CVE-2008-0035 |
| Available for: iOS 3.0 through 4.0.2 for iPhone 3GS and later,
iOS 3.0 through 4.0.2 for iPod touch (3rd generation) |
Available for: iOS 2.0 through 4.0.1 for iPhone 3G and later,
iOS 2.1 through 4.0 for iPod touch (2nd generation) and later; iOS 3.2 and
3.2.1 for iPad |
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
Available for: iPhone OS 1.0 through 3.1.2, iPhone OS for iPod
touch 1.1 through 3.1.2 |
Available for: iPhone OS 1.0 through 3.0.1, iPhone OS for iPod
touch 1.1 through 3.0 |
Available for: iPhone OS 1.0 through iPhone OS 3.0 |
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod
touch 1.1 through 2.1 |
Available for: iPhone v2.0 through v2.0.2 |
Available for: iPhone v1.0 through v1.1.4, iPod touch v1.1
through v1.1.4 |
Available for: iPhone v1.0 through v1.1.2, iPod touch v1.1
through 1.1.2 |
| Impact: An application's use of location services may not be
announced through VoiceOver |
Impact: Viewing a PDF document with maliciously crafted embedded
fonts may allow arbitrary code execution |
Impact: An application may be able to infer the user's location
without authorization |
Impact: Playing a maliciously crafted mp4 audio file may lead to
an unexpected application termination or arbitrary code execution |
Impact: Opening a maliciously crafted AAC or MP3 file may lead
to an unexpected application termination or arbitrary code execution |
Impact: Receiving a maliciously crafted SMS message may lead to
an unexpected service interruption or arbitrary code execution |
Impact: Viewing a maliciously crafted image may lead to an
unexpected application termination or arbitrary code execution |
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution |
Impact: An application may be able to read another application's
files |
Impact: A malicious proxy server may spoof secure websites |
Impact: Accessing a maliciously crafted URL may lead to an
application termination or arbitrary code execution |
| Description: A user interface accessibility issue exists in
the settings panel for Location Services. VoiceOver does not announce the
presence of the location services icon that is shown next to an application
that has requested the user's location within the last 24 hours. This issue
is addressed by ensuring that VoiceOver announces the presence of the icon.
Credit to Robin Kipp of Forever Living Products Europe for reporting this
issue. |
Description: A stack buffer overflow exists in FreeType's
handling of CFF opcodes. Viewing a PDF document with maliciously crafted
embedded fonts may allow arbitrary code execution. This issue is addressed
through improved bounds checking. |
Description: The Application Sandbox does not prevent
applications from directly accessing the user's photo library. This may allow
an application to determine visited locations without authorization. This
issue is addressed by modifying the Application Sandbox to prevent direct
access to the user's photo library. Credit to Zac White for reporting this
issue. |
Description: A buffer overflow exists in the handling of mp4
audio files. Playing a maliciously crafted mp4 audio file may lead to an
unexpected application termination or arbitrary code execution. This issue is
addressed through improved bounds checking. Credit to Tobias Klein of
trapkit.de for reporting this issue. |
Description: A heap buffer overflow exists in the handling of
AAC or MP3 files. Opening a maliciously crafted AAC or MP3 file may lead to
an unexpected application termination or arbitrary code execution. This
update addresses the issue through improved bounds checking. Credit to Tobias
Klein of trapkit.de for reporting this issue. |
Description: A memory corruption issue exists in the decoding of
SMS messages. Receiving a maliciously crafted SMS message may lead to an
unexpected service interruption or arbitrary code execution. This update
addresses the issue through improved error handling. Credit to Charlie Miller
of Independent Security Evaluators, and Collin Mulliner of Technical
University Berlin for reporting this issue. |
Description: A heap buffer overflow exists in the handling of
color spaces within CoreGraphics. Viewing a maliciously crafted image may
lead to an unexpected application termination or arbitrary code execution.
This update addresses the issue through improved bounds checking. Credit:
Apple. |
Description: CoreGraphics contains memory corruption issues in
the processing of arguments. Passing untrusted input to CoreGraphics via an
application, such as a web browser, may lead to an unexpected application
termination or arbitrary code execution. This update addresses the issue
through improved bounds checking. Credit to Michal Zalewski of Google for
reporting this issue. |
Description: The Application Sandbox does not properly enforce
access restrictions between third-party applications. This may allow a
third-party application to read files in another third-party application's
sandbox, and lead to the disclosure of sensitive information. This update
addresses the issue by enforcing the proper access restrictions between
application sandboxes. Credit to Nicolas Seriot of Sen:te and Bryce Cogswell
for reporting this issue. This issue does not affect iPhone versions prior to
v2.0. |
Description: A malicious HTTPS proxy server may return arbitrary
data to CFNetwork in a 502 Bad Gateway error, which could allow a secure
website to be spoofed. This update addresses the issue by not returning the
proxy-supplied data on an error condition. |
Description: A memory corruption issue exists in Safari's
handling of URLs. By enticing a user to access a maliciously crafted URL, an
attacker may cause an unexpected application termination or arbitrary code
execution. This update addresses the issue by performing additional
validation of URLs. |
| |
|
|
|
|
|
|
|
|
|
|
| FaceTime |
IOSurface |
CFNetwork |
ImageIO |
Exchange
Support |
|
CoreGraphics |
ImageIO |
CoreGraphics |
Kernel |
Passcode
Lock |
| CVE-ID: CVE-2010-1810 |
CVE-ID: CVE-2010-2973 |
CVE-ID: CVE-2010-1752 |
CVE-ID: CVE-2009-2285 |
CVE-ID: CVE-2009-2794 |
|
CVE-ID:
CVE-2009-0145 |
CVE-ID: CVE-2008-2327 |
CVE-ID: CVE-2008-1806, CVE-2008-1807, CVE-2008-1808 |
CVE-ID: CVE-2008-0177 |
CVE-ID: CVE-2008-0034 |
| Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later |
Available for: iOS 2.0 through 4.0.1 for iPhone 3G and later,
iOS 2.1 through 4.0 for iPod touch (2nd generation) and later; iOS 3.2 and
3.2.1 for iPad |
Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later,
iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later |
Available for: iPhone OS 1.0 through 3.1.2, iPhone OS for iPod
touch 1.1 through 3.1.2 |
Available for: iPhone OS 1.0 through 3.0.1, iPhone OS for iPod
touch 1.1 through 3.0 |
|
Available
for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 |
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod
touch 1.1 through 2.1 |
Available for: iPhone v1.0 through v2.0.2 |
Available for: iPhone v1.0 through v1.1.4, iPod touch v1.1
through v1.1.4 |
Available for: iPhone v1.0 through v1.1.2 |
| Impact: An attacker in a privileged network position may be able
to redirect FaceTime calls |
Impact: Malicious code running as the user may gain system
privileges |
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution |
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution |
Impact: A person with physical access to a device may be able to
use it after the timeout period specified by an Exchange administrator |
|
Impact:
Opening a maliciously crafted PDF file may lead to an unexpected application
termination or arbitrary code execution |
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution |
Impact: Multiple vulnerabilities in FreeType v2.3.5 |
Impact: A remote attacker may be able to cause an unexpected
device reset |
Impact: An unauthorized user may bypass the Passcode Lock and
launch iPhone applications |
| Description: An issue in the handling of invalid
certificates may allow an attacker in a privileged network position to
redirect FaceTime calls. This issue is addressed through improved handling of
certificates. Credit to Aaron Sigel of vtty.com for reporting this issue. |
Description: An integer overflow exists in the handling of
IOSurface properties, which may allow malicious code running as the user to
gain system privileges. This issue is addressed through improved bounds
checking. |
Description: A stack overflow exists in CFNetwork's URL handling
code. Visiting a maliciously crafted website may lead to an unexpected
application termination or arbitrary code execution. This issue is addressed
through improved memory handling. Credit to Laurent OUDOT of TEHTRI-Security
for reporting this issue. |
Description: A buffer underflow exists in ImageIO's handling of
TIFF images. Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution. This issue is
addressed through improved bounds checking. |
Description: iPhone OS provides the ability to communicate via
services provided by a Microsoft Exchange server. An administrator of an
Exchange server has the ability to specify a "Maximum inactivity time
lock" setting. This requires the user to reenter their passcode after
the expiration of the inactivity time in order to use the Exchange services.
iPhone OS allows a user to specify a "Require Passcode" setting
that may extend up to 4 hours. The "Require Passcode" setting is
not affected by the "Maximum inactivity time lock" setting. If the
user has "Require Passcode" set to a value higher than the
"Maximum inactivity time lock" setting, this would allow a window
of time for a person with physical access to use the device, including
Exchange services. This update addresses the issue by disabling user choices
for "Require Passcode" values greater than the "Maximum
inactivity time lock" setting. This issue only affects iPhone OS 2.0 and
later, and iPhone OS for iPod touch 2.0 and later. Credit to Allan Steven,
Robert Duran, Jeff Beckham of PepsiCo, Joshua Levitsky, Michael Breton of
Intel Corporation, Mike Karban of Edward Jones, and Steve Moriarty of Agilent
Technologies for reporting this issue. |
|
Description:
Multiple memory corruption issues exist in CoreGraphics' handling of PDF
files. Opening a maliciously crafted PDF file may lead to an unexpected
application termination or arbitrary code execution. This update addresses
the issues through improved bounds and error checking. |
Description: Multiple uninitialized memory access issues exist
in libTIFF's handling of LZW-encoded TIFF images. Viewing a maliciously
crafted TIFF image may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issue through proper
memory initialization and additional validation of TIFF images. |
Description: Multiple vulnerabilities exist in FreeType v2.3.5,
the most serious of which may lead to arbitrary code execution when accessing
maliciously crafted font data. This update addresses the issue by
incorporating the security fixes from version 2.3.6 of FreeType. Further
information is available via the FreeType site at http://www.freetype.org/ |
Description: An undetected failure condition exists in the
handling of packets with an IPComp header. Sending a maliciously crafted
packet to a system configured to use IPSec or IPv6 may cause an unexpected
device reset. This update addresses the issue by properly detecting the
failure condition. |
Description: The Passcode Lock feature is designed to prevent
applications from being launched unless the correct passcode is entered. An
implementation issue in the handling of emergency calls allows users with
physical access to an iPhone to launch an application without the passcode.
This update addresses the issue through an improved check on the state of the
Passcode Lock. |
| |
|
|
|
|
|
|
|
|
|
|
| ImageIO |
|
Find My iPhone |
Recovery
Mode |
MobileMail |
|
CoreGraphics |
ImageIO |
mDNSResponder |
Safari |
Safari |
| CVE-ID: CVE-2010-1811 |
|
CVE-ID:
CVE-2010-1776 |
CVE-ID: CVE-2010-0038 |
CVE-ID: CVE-2009-2207 |
|
CVE-ID:
CVE-2009-0146, CVE-2009-0147, CVE-2009-0165 |
CVE-ID: CVE-2008-1586 |
CVE-ID: CVE-2008-1447 |
CVE-ID: CVE-2008-1588 |
CVE-ID: CVE-2007-5858 |
| Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
Available for: iPhone OS 1.0 through 3.1.2, iPhone OS for iPod
touch 1.1 through 3.1.2 |
Available for: iPhone OS 1.0 through 3.0.1, iPhone OS for iPod
touch 1.1 through 3.0 |
|
Available
for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 |
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod
touch 1.1 through 2.1 |
Available for: iPhone v1.0 through v2.0.2 |
Available for: iPhone v1.0 through v1.1.4, iPod touch v1.1
through v1.1.4 |
Available for: iPhone v1.0 through v1.1.2, iPod touch v1.1
through 1.1.2 |
| Impact: Processing a maliciously crafted TIFF image may lead to
an unexpected application termination or arbitrary code execution |
|
Impact: A
device with a MobileMe account configured may be remotely wiped, even if
"Find My iPhone" is disabled |
Impact: A person with physical access to a locked device may be
able to access the user's data |
Impact: Deleted email messages may still be visible through a
Spotlight search |
|
Impact:
Viewing or downloading a PDF file containing a maliciously crafted JBIG2
stream may lead to an unexpected application termination or arbitrary code
execution |
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected device reset |
Impact: mDNSResponder is susceptible to DNS cache poisoning and
may return forged information |
Impact: Unicode ideographic spaces may be used to spoof a
website |
Impact: Visiting a malicious website may result in the
disclosure of sensitive information |
| Description: A memory corruption issue exists in the
handling of TIFF images. Processing a maliciously crafted TIFF image may lead
to an unexpected application termination or arbitrary code execution. This
issue is addressed through improved handling of TIFF images. Credit: Apple. |
|
Description:
A user may configure their device to use MobileMe. Individual MobileMe
services may be enabled or disabled via the Settings app. Disabling the
"Find My iPhone" service prevents the device from being located via
MobileMe, but does not prevent the phone from being wiped. An attacker with
access to the password of the configured MobileMe account may be able to wipe
the device. This issue is addressed by disabling remote wipe and message
display when the "Find My iPhone" service is disabled on the
device. |
Description: A memory corruption issue exists in the handling of
a certain USB control message. A person with physical access to the device
could use this to bypass the passcode and access the user's data. This issue
is addressed through improved handling of the USB control message. |
Description: Spotlight finds and allows access to deleted
messages in Mail folders on the device. This would allow a person with access
to the device to view the deleted messages. This update addresses the issue
by not including the deleted email in the Spotlight search result. This issue
only affects iPhone OS 3.0, iPhone OS 3.0.1, and iPhone OS for iPod touch
3.0. Credit to Clickwise Software and Tony Kavadias for reporting this issue. |
|
Description:
Multiple heap buffer overflows exist in CoreGraphics' handling of PDF files
containing JBIG2 streams. Viewing or downloading a PDF file containing a
maliciously crafted JBIG2 stream may lead to an unexpected application
termination or arbitrary code execution. This update addresses the issue
through improved bounds checking. Credit to Apple, Alin Rad Pop of Secunia
Research, and Will Dormann of CERT/CC for reporting this issue. |
Description: A memory exhaustion issue exists in the handling of
TIFF images. Viewing a maliciously crafted TIFF image may lead to an
unexpected device reset. This update addresses the issue by limiting the
amount of memory allocated to open a TIFF image. Credit to Sergio 'shadown'
Alvarez of Recurity Labs GmbH for reporting this issue. |
Description: mDNSResponder provides translation between host
names and IP addresses for applications that use its unicast DNS resolution
API. A weakness in the DNS protocol may allow a remote attacker to perform
DNS cache poisoning attacks. As a result, applications that rely on
mDNSResponder for DNS may receive forged information. This update addresses
the issue by implementing source port and transaction ID randomization to
improve resilience against cache poisoning attacks. Credit to Dan Kaminsky of
IOActive for reporting this issue. |
Description: When Safari displays the current URL in the address
bar, Unicode ideographic spaces are rendered. This allows a maliciously
crafted website to direct the user to a spoofed site that visually appears to
be a legitimate domain. This update addresses the issue by not rendering
Unicode ideographic spaces in the address bar. |
Description: WebKit allows a page to navigate the subframes of
any other page. Visiting a maliciously crafted web page could trigger a
cross-site scripting attack, which may lead to the disclosure of sensitive
information. This update addresses the issue by implementing a stricter frame
navigation policy. |
| |
|
|
|
|
|
|
|
|
|
|
| ImageIO |
|
ImageIO |
WebKit |
Recovery
Mode |
|
CoreGraphics |
Networking |
Networking |
Safari |
|
| CVE-ID: CVE-2010-1817 |
|
CVE-ID:
CVE-2010-0041 |
CVE-ID: CVE-2009-3384 |
CVE-ID: CVE-2009-2795 |
|
CVE-ID:
CVE-2009-0155 |
CVE-ID: CVE-2008-4227 |
CVE-ID: CVE-2008-3612 |
CVE-ID: CVE-2008-1589 |
|
| Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
Available for: iPhone OS 1.0 through 3.1.2, iPhone OS for iPod
touch 1.1 through 3.1.2 |
Available for: iPhone OS 1.0 through 3.0.1, iPhone OS for iPod
touch 1.1 through 3.0 |
|
Available
for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 |
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod
touch 1.1 through 2.1 |
Available for: iPhone v1.0 through v2.0.2 |
Available for: iPhone v1.0 through v1.1.4, iPod touch v1.1
through v1.1.4 |
|
| Impact: Processing a maliciously crafted GIF image may lead to
an unexpected application termination or arbitrary code execution |
|
Impact:
Visiting a maliciously crafted website may result in sending data from
Safari's memory to the website |
Impact: Accessing a maliciously crafted FTP server could result
in an unexpected application termination, information disclosure, or
arbitrary code execution |
Impact: A person with physical access to a locked device may be
able to access the user's data |
|
Impact:
Opening a maliciously crafted PDF file may lead to an unexpected application
termination or arbitrary code execution |
Impact: The encryption level for PPTP VPN connections may be
lower than expected |
Impact: Predictable TCP initial sequence numbers generation may
lead to TCP spoofing or session hijacking |
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information |
|
| Description: A buffer overflow exists in the handling of
GIF images. Processing a maliciously crafted GIF image may lead to an
unexpected application termination or arbitrary code execution. This issue is
addressed through improved bounds checking. Credit to Tom Ferris of Adobe
PSIRT for reporting this issue. |
|
Description:
An uninitialized memory access issue exists in ImageIO's handling of BMP
images. Visiting a maliciously crafted website may result in sending data
from Safari's memory to the website. This issue is addressed through improved
memory initialization and additional validation of BMP images. Credit to
Matthew 'j00ru' Jurczyk of Hispasec for reporting this issue. |
Description: Multiple input validation issues exist in WebKit's
handling of FTP directory listings. Accessing a maliciously crafted FTP
server may lead to information disclosure, unexpected application
termination, or execution of arbitrary code. This update addresses the issues
through improved parsing of FTP directory listings. Credit to Michal Zalewski
of Google Inc. for reporting these issues. |
Description: A heap buffer overflow exists in Recovery Mode
command parsing. This may allow another person with physical access to the
device to bypass the passcode, and access the user's data. This update
addresses the issue through improved bounds checking. |
|
Description:
An integer underflow in CoreGraphics' handling of PDF files may result in a
heap buffer overflow. Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution. This update
addresses the issue through improved bounds checking. Credit to Barry K.
Nathan for reporting this issue. |
Description: The encryption level for PPTP VPN connections may
revert to a previous lower setting. This update addresses the issue by
properly setting the encryption preferences. Credit to Stephen Butler of the
University of Illinois of Urbana-Champaign for reporting this issue. |
Description: TCP initial sequence numbers are sequentially
generated. Predictable initial sequence numbers may allow a remote attacker
to create a spoofed TCP connection or insert data into an existing TCP
connection. This update addresses the issue by generating random TCP initial
sequence numbers. |
Description: When Safari accesses a website that uses a
self-signed or invalid certificate, it prompts the user to accept or reject
the certificate. If the user presses the menu button while at the prompt,
then on the next visit to the site, the certificate is accepted with no
prompt. This may lead to the disclosure of sensitive information. This update
addresses the issue through improved handling of certificates. Credit to
Hiromitsu Takagi for reporting this issue. |
|
| |
|
|
|
|
|
|
|
|
|
|
| WebKit |
|
ImageIO |
WebKit |
Telephony |
|
CoreGraphics |
Office
Viewer |
Passcode
Lock |
Safari |
|
| CVE-ID: CVE-2010-1786 |
|
CVE-ID:
CVE-2010-0042 |
CVE-ID: CVE-2009-2841 |
CVE-ID: CVE-2009-2815 |
|
CVE-ID:
CVE-2009-1179 |
CVE-ID: CVE-2008-4211 |
CVE-ID: CVE-2008-3633 |
CVE-ID: CVE-2008-2303 |
|
| Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
Available for: iPhone OS 1.0 through 3.1.2, iPhone OS for iPod
touch 1.1 through 3.1.2 |
Available for: iPhone OS 1.0 through 3.0.1 |
|
Available
for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 |
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod
touch 1.1 through 2.1 |
Available for: iPhone v2.0 through v2.0.2 |
Available for: iPhone v1.0 through v1.1.4, iPod touch v1.1
through v1.1.4 |
|
| Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution |
|
Impact:
Visiting a maliciously crafted website may result in sending data from
Safari's memory to the website |
Impact: Mail may load remote audio and video content when remote
image loading is disabled |
Impact: Receiving a maliciously crafted SMS message may lead to
an unexpected service interruption |
|
Impact:
Opening a maliciously crafted PDF file may lead to an unexpected application
termination or arbitrary code execution |
Impact: Viewing a maliciously crafted Microsoft Excel file may
lead to an unexpected application termination or arbitrary code execution |
Impact: An unauthorized user may bypass the Passcode Lock and
launch iPhone applications |
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution |
|
| Description: A use after free issue exists in WebKit's
handling of "foreignObject" elements in SVG documents. Visiting a
maliciously crafted website may lead to an unexpected application termination
or arbitrary code execution. This issue is addressed through additional
validation of SVG documents. Credit to wushi of team509, working with
TippingPoint's Zero Day Initiative for reporting this issue. |
|
Description:
An uninitialized memory access issue exists in ImageIO's handling of TIFF
images. Visiting a maliciously crafted website may result in sending data
from Safari's memory to the website. This issue is addressed through improved
memory initialization and additional validation of TIFF images. Credit to
Matthew 'j00ru' Jurczyk of Hispasec for reporting this issue. |
Description: When WebKit encounters an HTML 5 Media Element
pointing to an external resource, it does not issue a resource load callback
to determine if the resource should be loaded. This may result in undesired
requests to remote servers. As an example, the sender of an HTML-formatted
email message could use this to determine that the message was read. This
issue is addressed by generating resource load callbacks when WebKit
encounters an HTML 5 Media Element. |
Description: A null pointer dereference issue exists in the
handling of SMS arrival notifications. Receiving a maliciously crafted SMS
message may lead to an unexpected service interruption. This update addresses
the issue through improved handling of incoming SMS messages. Credit to
Charlie Miller of Independent Security Evaluators, and Collin Mulliner of
Technical University Berlin for reporting this issue. |
|
Description:
An integer overflow in CoreGraphics' handling of PDF files may result in a
heap buffer overflow. Opening a PDF file containing a maliciously crafted
JBIG2 stream may lead to an unexpected application termination or arbitrary
code execution. This update addresses the issue through improved bounds
checking. Credit to Will Dormann of CERT/CC for reporting this issue. |
Description: A signedness issue in Office Viewer's handling of
columns in Microsoft Excel files may result in an out-of-bounds memory
access. Viewing a maliciously crafted Microsoft Excel file may lead to an
unexpected application termination or arbitrary code execution. This update
addresses the issue by ensuring that the affected index values are not
negative. Credit: Apple. |
Description: The Passcode Lock feature is designed to prevent
applications from being launched unless the correct passcode is entered. An
implementation issue in the handling of emergency calls allows users with
physical access to an iPhone to launch an application without the passcode by
double clicking the home button in emergency call. This update addresses the
issue through improved handling of emergency calls. Credit to Matthew Yohe of
The University of Iowa's Department of Electrical and Computer Engineering
for reporting this issue. This issue does not affect iPhone versions prior to
v2.0. |
Description: A signedness issue in Safari's handling of
JavaScript array indices may result in an out-of-bounds memory access.
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution. This update addresses the issue by
performing additional validation of JavaScript array indices. Credit to
SkyLined of Google for reporting this issue. |
|
| |
|
|
|
|
|
|
|
|
|
|
| WebKit |
|
ImageIO |
|
UIKit |
|
CoreGraphics |
Passcode
Lock |
WebKit |
Safari |
|
| CVE-ID: CVE-2010-1770 |
|
CVE-ID:
CVE-2010-0043 |
|
CVE-ID:
CVE-2009-2796 |
|
CVE-ID:
CVE-2009-0946 |
CVE-ID: CVE-2008-4228 |
CVE-ID: CVE-2008-3632 |
CVE-ID: CVE-2006-2783 |
|
| Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
Available
for: iPhone OS 1.0 through 3.0.1, iPhone OS for iPod touch 1.1 through 3.0 |
|
Available
for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 |
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod
touch 1.1 through 2.1 |
Available for: iPhone v1.0 through v2.0.2 |
Available for: iPhone v1.0 through v1.1.4, iPod touch v1.1
through v1.1.4 |
|
| Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution |
|
Impact:
Processing a maliciously crafted TIFF image may lead to an unexpected
application termination or arbitrary code execution |
|
Impact:
Passwords may be made visible |
|
Impact:
Multiple vulnerabilities in FreeType v2.3.8 |
Impact: Emergency calls are not restricted to emergency numbers |
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution |
Impact: Visiting a maliciously crafted website may lead to
cross-site scripting |
|
| Description: A type checking issue exists in WebKit's
handling of text nodes. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This issue is
addressed through improved type checking. Credit to wushi of team509, working
with TippingPoint's Zero Day Initiative for reporting this issue. |
|
Description:
A memory corruption issue exists in the handling of TIFF images. Processing a
maliciously crafted TIFF image may lead to an unexpected application
termination or arbitrary code execution. This issue is addressed through
improved memory handling. Credit to Gus Mueller of Flying Meat for reporting
this issue. |
|
Description:
When a character in a password is deleted, and the deletion is undone, the
character is briefly made visible. This may allow a person with physical
access to the device to read a password, one character at a time. This update
addresses the issue by preventing the character from being made visible. This
issue only affects iPhone OS 3.0 and iPhone OS 3.0.1. Credit to Abraham Vegh
for reporting this issue. |
|
Description:
Multiple integer overflows exist in FreeType v2.3.8, which may lead to an
unexpected application termination or arbitrary code execution. This update
addresses the issues through improved bounds checking. Credit to Tavis
Ormandy of the Google Security Team for reporting these issues. |
Description: iPhone provides the ability to make an emergency
call when locked. Currently, an emergency call may be placed to any number. A
person with physical access to an iPhone may take advantage of this feature
to place arbitrary calls which are charged to the iPhone owner. This update
addresses the issue by restricting emergency calls to a limited set of phone
numbers. |
Description: A use-after-free issue exists in WebKit's handling
of CSS import statements. Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution. This
update addresses the issue through improved handling of document references. |
Description: Safari ignores Unicode byte order mark sequences
when parsing web pages. Certain websites and web content filters attempt to
sanitize input by blocking specific HTML tags. This approach to filtering may
be bypassed and lead to cross-site scripting when encountering
maliciously-crafted HTML tags containing byte order mark sequences. This
update addresses the issue through improved handling of byte order mark
sequences. Credit to Chris Weber of Casaba Security, LLC for reporting this
issue. |
|
| |
|
|
|
|
|
|
|
|
|
|
| WebKit |
|
ImageIO |
|
WebKit |
|
Exchange |
Passcode
Lock |
|
Safari |
|
| CVE-ID: CVE-2010-1785 |
|
CVE-ID:
CVE-2010-1753 |
|
CVE-ID:
CVE-2009-2797 |
|
CVE-ID: CVE-2009-0958 |
CVE-ID: CVE-2008-4229 |
|
CVE-ID:
CVE-2008-2307 |
|
| Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
Available
for: iPhone OS 1.0 through 3.0.1, iPhone OS for iPod touch 1.1 through 3.0 |
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod
touch 1.1 through 2.1 |
|
Available
for: iPhone v1.0 through v1.1.4, iPod touch v1.1 through v1.1.4 |
|
| Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution |
|
Impact:
Processing a maliciously crafted JPEG image may lead to an unexpected
application termination or arbitrary code execution |
|
Impact: User
names and passwords in URLs may be disclosed to linked sites |
|
Impact: Connecting to a malicious Exchange server may lead to
the disclosure of sensitive information |
Impact: Restoring a device from backup may not re-enable the
Passcode Lock |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
| Description: An uninitialized memory access issue exists in
WebKit's handling of the ":first-letter" and
":first-line" pseudo-elements in SVG text elements. Visiting a
maliciously crafted website may lead to an unexpected application termination
or arbitrary code execution. This issue is addressed by not rendering
":first-letter" or ":first-line" pseudo-elements in SVG
text elements. Credit to wushi of team509, working with TippingPoint's Zero
Day Initiative for reporting this issue. |
|
Description:
A memory corruption issue exists in the handling of JPEG images. Processing a
maliciously crafted JPEG image may lead to an unexpected application
termination or arbitrary code execution. This issue is addressed through
improved memory handling. Credit to Ladd Van Tol of Critical Path Software
for reporting this issue. |
|
Description:
Safari includes the user name and password from the original URL in the
referer header. This may lead to the disclosure of sensitive information.
This update addresses the issue by not including user names and passwords in
referer headers. Credit to James A. T. Rice of Jump Networks Ltd for
reporting this issue. |
|
Description: Accepting an untrusted Exchange server certificate
results in storing an exception on a per-hostname basis. On the next visit to
an Exchange server contained in the exception list, its certificate is
accepted with no prompt and validation. This may lead to the disclosure of
credentials or application data. This update addresses the issue through
improved handling of untrusted certificate exceptions. Credit to FD of
Securus Global for reporting this issue. |
Description: The Passcode Lock feature is designed to prevent
applications from being launched unless the correct passcode is entered. A
race condition in the handling of device settings may cause the Passcode Lock
to be removed when the device is restored from backup. This may allow a
person with physical access to the device to launch applications without the
passcode. This update addresses the issue by improving the system's ability
to recognize missing preferences. This issue does not affect systems prior to
iPhone OS 2.0 or iPhone OS for iPod touch 2.0. Credit to Nolen Scaife for
reporting this issue. |
|
Description:
A memory corruption issue exists in WebKit's handling of JavaScript arrays.
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution. This update addresses the issue
through improved bounds checking. Credit to James Urquhart for reporting this
issue. |
|
| |
|
|
|
|
|
|
|
|
|
|
| WebKit |
|
LibSystem |
|
WebKit |
|
ImageIO |
Passcode
Lock |
|
Safari |
|
| CVE-ID: CVE-2010-1780 |
|
CVE-ID:
CVE-2009-0689 |
|
CVE-ID:
CVE-2009-1725 |
|
CVE-ID: CVE-2009-0040 |
CVE-ID: CVE-2008-4230 |
|
CVE-ID:
CVE-2008-2317 |
|
| Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
Available
for: iPhone OS 1.0 through 3.0.1, iPhone OS for iPod touch 1.1 through 3.0 |
|
Impact: Processing a maliciously crafted PNG image may lead to
an unexpected application termination or arbitrary code execution |
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod
touch 1.1 through 2.1 |
|
Available
for: iPhone v1.0 through v1.1.4, iPod touch v1.1 through v1.1.4 |
|
| Impact: Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution |
|
Impact:
Applications that convert untrusted data between binary floating point and
text may be vulnerable to an unexpected application termination or arbitrary
code execution |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
Description: An uninitialized pointer issue exists in the
handling of PNG images. Processing a maliciously crafted PNG image may lead
to an unexpected application termination or arbitrary code execution. This
update addresses the issue through additional validation of PNG images.
Credit to Tavis Ormandy of Google Security Team for reporting this issue. |
Impact: Short Message Service (SMS) messages may be revealed
before the passcode is entered |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
| Description: A use after free issue exists in WebKit's
handling of element focus. Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution. This issue
is addressed through improved handling of element focus. Credit to Tony Chang
of Google, Inc. for reporting this issue. |
|
Description:
A buffer overflow exists in the floating point binary to text conversion code
within Libsystem. An attacker who can cause an application to convert a
floating point value into a long string, or to parse a maliciously crafted
string as a floating point value, may be able to cause an unexpected
application termination or arbitrary code execution. This issue is addressed
through improved bounds checking. Credit to Maksymilian Arciemowicz of
SecurityReason.com for reporting this issue. |
|
Description:
A memory corruption issue exists in WebKit's handling of numeric character
references. Visiting a maliciously crafted website may lead to an unexpected
application termination or arbitrary code execution. This update addresses
the issue through improved handling of numeric character references. Credit
to Chris Evans for reporting this issue. |
|
Description: An uninitialized pointer issue exists in the
handling of PNG images. Processing a maliciously crafted PNG image may lead
to an unexpected application termination or arbitrary code execution. This
update addresses the issue through additional validation of PNG images.
Credit to Tavis Ormandy of Google Security Team for reporting this issue. |
Description: If an SMS message arrives while the emergency call
screen is visible, the entire SMS message is displayed, even if the
"Show SMS Preview" preference was set to "OFF". This
update addresses the issue by, in this situation, displaying only a
notification that a SMS message has arrived, and not its content. |
|
Description:
A memory corruption issue exists in WebCore's handling of style sheet
elements. Visiting a maliciously crafted website may lead to an unexpected
application termination or arbitrary code execution. This update addresses
the issue through improved garbage collection. Credit to an anonymous
researcher working with the TippingPoint Zero Day Initiative for reporting
this issue. |
|
| |
|
|
|
|
|
|
|
|
|
|
| WebKit |
|
libxml |
|
WebKit |
|
International
Components for Unicode |
Safari |
|
Safari |
|
| CVE-ID: CVE-2010-1793 |
|
CVE-ID:
CVE-2009-2414, CVE-2009-2416 |
|
CVE-ID:
CVE-2009-1724 |
|
CVE-ID: CVE-2009-0153 |
CVE-ID: CVE-2008-4231 |
|
CVE-ID:
CVE-2007-6284 |
|
| Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
Available
for: iPhone OS 1.0 through 3.0.1, iPhone OS for iPod touch 1.1 through 3.0 |
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod
touch 1.1 through 2.1 |
|
Available
for: iPhone v1.0 through v1.1.4, iPod touch v1.1 through v1.1.4 |
|
| Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution |
|
Impact:
Parsing maliciously crafted XML content may lead to an unexpected application
termination |
|
Impact:
Visiting a maliciously crafted website may lead to a cross-site scripting
attack |
|
Impact: Maliciously crafted content may bypass website filters
and result in cross-site scripting |
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution |
|
Impact:
Processing an XML document may lead to a denial of service |
|
| Description: A use after free issue exists in WebKit's
handling of "font-face" and "use" elements in SVG
documents. Visiting a maliciously crafted website may lead to an unexpected
application termination or arbitrary code execution. This issue is addressed
through improved handling of "font-face" and "use"
elements in SVG documents. Credit to Aki Helin of OUSPG for reporting this
issue. |
|
Description:
Multiple use after free issues exist in libxml2, the most serious of which
may lead to an unexpected application termination. The issues are addressed
through improved memory handling. Credit to Rauli Kaksonen and Jukka Taimisto
from the CROSS project at Codenomicon Ltd. for reporting these issues. |
|
Description:
An issue in WebKit's handling of the parent and top objects may result in a
cross-site scripting attack when visiting a maliciously crafted website. This
update addresses the issue through improved handling of parent and top
objects. |
|
Description: An implementation issue exists in ICU's handling of
certain character encodings. Using ICU to convert invalid byte sequences to
Unicode may result in over-consumption, where trailing bytes are considered
part of the original character. This may be leveraged by an attacker to
bypass filters on websites that attempt to mitigate cross-site scripting.
This update addresses the issue through improved handling of invalid byte
sequences. Credit to Chris Weber of Casaba Security for reporting this issue. |
Description: A memory corruption issue exists in the handling of
HTML table elements. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This update
addresses the issue through improved handling of HTML table elements. Credit
to Haifei Li of Fortinet's FortiGuard Global Security Research Team for
reporting this issue. |
|
Description:
A memory consumption issue exists in the handling of XML documents containing
invalid UTF-8 sequences, which may lead to a denial of service. This update
addresses the issue by updating the libxml2 system library to version 2.6.16. |
|
| |
|
|
|
|
|
|
|
|
|
|
| WebKit |
|
Passcode Lock |
|
WebKit |
|
IPSec |
Safari |
|
Safari |
|
| CVE-ID: CVE-2010-1421 |
|
CVE-ID:
CVE-2010-1754 |
|
CVE-ID: CVE-2009-2199 |
|
CVE-ID: CVE-2008-3651, CVE-2008-3652 |
CVE-ID: CVE-2008-4232 |
|
CVE-ID: CVE-2008-1767 |
|
| Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
Available for: iPhone OS 1.0 through 3.0.1, iPhone OS for iPod
touch 1.1 through 3.0 |
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod
touch 1.1 through 2.1 |
|
Available for: iPhone v1.0 through v1.1.4, iPod touch v1.1
through v1.1.4 |
|
| Impact: Visiting a maliciously crafted website may change the
contents of the clipboard |
|
Impact:
Remote Lock via MobileMe may not be effective in preventing access |
|
Impact: Look-alike characters in a URL could be used to
masquerade a website |
|
Impact: Multiple vulnerabilities in the racoon daemon may lead
to a denial of service |
Impact: Websites with embedded iframe elements may be vulnerable
to user interface spoofing |
|
Impact: Processing an XML document may lead to an unexpected
application termination or arbitrary code execution |
|
| Description: A design issue exists in the implementation of
the JavaScript execCommand function. A maliciously crafted web page can
modify the contents of the clipboard without user interaction. This issue is
addressed by only allowing clipboard commands to be executed if initiated by
the user. Credit: Apple. |
|
Description:
If the device is unlocked in response to an alert, such as receiving a text
message or voicemail, and MobileMe is then used to Remote Lock the device,
then the next unlock of the device will have the passcode already entered. A
person with physical access to the device will not require the passcode in
this situation. This issue is addressed by properly clearing the passcode.
Credit to Sidney San Martin of DeepTech, Inc. for reporting this issue. |
|
Description: The International Domain Name (IDN) support and
Unicode fonts embedded in Safari could be used to create a URL which contains
look-alike characters. These could be used in a malicious website to direct
the user to a spoofed site that visually appears to be a legitimate domain.
This update addresses the issue by supplementing WebKit's list of known
look-alike characters. Look-alike characters are rendered in Punycode in the
address bar. Credit to Chris Weber of Casaba Security, LLC for reporting this
issue. |
|
Description: Multiple memory leaks exist in the racoon daemon in
ipsec-tools before 0.7.1, which may lead to a denial of service. This update
addresses the issues through improved memory management. |
Description: Safari allows an iframe element to display content
outside its boundaries, which may lead to user interface spoofing. This
update addresses the issue by not allowing iframe elements to display content
outside their boundaries. This issue does not affect systems prior to iPhone
OS 2.0 or iPhone OS for iPod touch 2.0. Credit to John Resig of Mozilla
Corporation for reporting this issue. |
|
Description: A memory corruption issue exists in the libxslt
library. Viewing a maliciously crafted HTML page may lead to an unexpected
application termination or arbitrary code execution. Further information on
the patch applied is available via the xmlsoft.org website
http://xmlsoft.org/XSLT/ Credit to Anthony de Almeida Lopes of Outpost24 AB,
and Chris Evans of Google Security Team for reporting this issue. |
|
| |
|
|
|
|
|
|
|
|
|
|
| WebKit |
|
Passcode Lock |
|
|
|
libxml |
Safari |
|
WebKit |
|
| CVE-ID: CVE-2010-1422 |
|
CVE-ID:
CVE-2010-1775 |
|
|
|
CVE-ID: CVE-2008-3281, CVE-2008-3529, CVE-2008-4409,
CVE-2008-4225, CVE-2008-4226 |
CVE-ID: CVE-2008-4233 |
|
CVE-ID: CVE-2008-1590 |
|
| Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod
touch 1.1 through 2.1 |
|
Available for: iPhone v1.0 through v1.1.4, iPod touch v1.1
through v1.1.4 |
|
| Impact: Interacting with a maliciously crafted website may
result in unexpected actions on other sites |
|
Impact: A
person with physical access to a device may be able to access the user's data |
|
|
|
Impact: Multiple vulnerabilities in libxml2 version 2.6.16 |
Impact: Visiting a maliciously crafted website may initiate a
phone call without user interaction |
|
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution |
|
| Description: An implementation issue exists in WebKit's
handling of keyboard focus. If the keyboard focus changes during the
processing of key presses, WebKit may deliver an event to the newly-focused
frame, instead of the frame that had focus when the key press occurred. A
maliciously crafted website may be able to manipulate a user into taking an
unexpected action, such as initiating a purchase. This issue is addressed by
preventing the delivery of key press events if the keyboard focus changes
during processing. Credit to Michal Zalewski of Google, Inc. for reporting
this issue. |
|
Description:
A device with a passcode set may only be paired with a computer if the device
is unlocked. A race condition permits pairing for a short period after the
initial boot, if the device was unlocked before powering down. If the device
was shut down from a locked state, this issue does not occur. This issue is
addressed through improved checking for the locked state. |
|
|
|
Description: Multiple vulnerabilities in libxml2 version 2.6.16,
the most serious of which may lead to an unexpected application termination
or arbitrary code execution. This update addresses the issue by updating the
libxml2 system library to version 2.7.3. |
Description: If an application is launched via Safari
while a call approval dialog is shown, the call will be placed. This may
allow a maliciously crafted website to initiate a phone call without user
interaction. Additionally, under certain circumstances it may be possible for
a maliciously crafted website to block the user's ability to cancel dialing
for a short period of time. This update addresses the issue by properly
dismissing Safari's call approval dialog when an application is being launched
via Safari. Credit to Collin Mulliner of Fraunhofer SIT for reporting this
issue. |
|
Description: A memory corruption issue exists in
JavaScriptCore's handling of runtime garbage collection. Visiting a
maliciously crafted website may lead to an unexpected application termination
or arbitrary code execution. This update addresses the issue through improved
garbage collection. Credit to Itzik Kotler and Jonathan Rom of Radware for
reporting this issue. |
|
| |
|
|
|
|
|
|
|
|
|
|
| WebKit |
|
Safari |
|
|
|
Mail |
Webkit |
|
WebKit |
|
| CVE-ID: CVE-2010-1771 |
|
CVE-ID:
CVE-2010-1755 |
|
|
|
CVE-ID: CVE-2009-0960 |
CVE-ID: CVE-2008-3644 |
|
CVE-ID: CVE-2008-1025 |
|
| Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod
touch 1.1 through 2.1 |
|
Available for: iPhone v1.0 through v1.1.4, iPod touch v1.1
through v1.1.4 |
|
| Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution |
|
Impact:
Cookies may be set by third-party sites even when the Accept Cookies
preference is set to "From visited" or "Never" |
|
|
|
Impact: Users do not have control over the loading of remote
images in HTML messages |
Impact: Sensitive information may be disclosed to a person with
physical access to an unlocked device |
|
Impact: Accessing a maliciously crafted URL may result in
cross-site scripting |
|
| Description: A use after free issue exists in WebKit's
handling of fonts. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This issue is
addressed through improved handling of fonts. Credit: Apple. |
|
Description:
An implementation issue exists in the handling of cookie preferences. Cookie
preferences are not applied until Safari is restarted. Cookies may be set by
third-party sites even when the Accept Cookies preference is set to
"From visited" or "Never". This issue is addressed by
applying the Accept Cookies preference. Credit to Jason Dent o Street Side
Software for reporting this issue. |
|
|
|
Description: Mail does not provide a preference to turn off the
automatic loading of remote images. Opening an HTML email containing a remote
image will automatically request it. The server hosting a remote image can
determine that the email was read, and the network address of the device.
This update addresses the issue by adding a preference to turn off the
automatic loading of remote images. Credit to Ronald C.F. Antony of Cubiculum
Systems, Stefan Seiz of ERNI Electronics GmbH, Oskar Lissheim-Boethius of
iPhone development house OLB Productions, Meyer Consulting, Oliver Quas,
Christian Schmitz of MonkeybreadSoftware, Thomas Adams of TynTec, Aviv Raff
of aviv.raffon.net, and Collin Mulliner of Fraunhofer SIT for reporting this
issue. |
Description: Disabling autocomplete on a form field may not
prevent the data in the field from being stored in the browser page cache.
This may lead to the disclosure of sensitive information to a person with
physical access to an unlocked device. This update addresses the issue by
properly clearing the form data. Credit to an anonymous researcher for
reporting this issue. |
|
Description: An issue exists in WebKit's handling of URLs
containing a colon character in the host name. Accessing a maliciously
crafted URL may lead to a cross-site scripting attack. This update addresses
the issue through improved handling of URLs. Credit to Robert Swiecki of the
Google Security Team, and David Bloom for reporting this issue. |
|
| |
|
|
|
|
|
|
|
|
|
|
| WebKit |
|
Safari |
|
|
|
Mail |
|
|
WebKit |
|
| CVE-ID: CVE-2010-1783 |
|
CVE-ID:
CVE-2010-1384 |
|
|
|
CVE-ID: CVE-2009-0961 |
|
|
CVE-ID: CVE-2008-1026 |
|
| Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
Available for: iPhone v1.0 through v1.1.4, iPod touch v1.1
through v1.1.4 |
|
| Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution |
|
Impact: A
maliciously crafted URL may be obfuscated, making phishing attacks more
effective |
|
|
|
Impact: An application that causes an alert to apear may
initiate a phone call without user interaction |
|
|
Impact: Viewing a maliciously crafted web page may lead to an
unexpected application termination or arbitrary code execution |
|
| Description: A memory corruption issue exists in WebKit's
handling of dynamic modifications to text nodes. Visiting a maliciously
crafted website may lead to an unexpected application termination or
arbitrary code execution. This issue is addressed through improved memory
management. |
|
Description:
Safari supports the inclusion of user information in URLs, which allows the
URL to specify a username and password to authenticate the user to the named
server. These URLs are often used to confuse users, which can potentially aid
phishing attacks. Safari is updated to display a warning before navigating to
an HTTP or HTTPS URL containing user information. Credit to Abhishek Arya of
Google, Inc. for reporting this issue. |
|
|
|
Description: If an application causes an alert to apear while
Mail's call approval dialog is shown, the call will be placed without user
interaction. This update addresses the issue by not dismissing the call
approval dialog when other alerts appear. Credit to Collin Mulliner of
Fraunhofer SIT for reporting this issue. |
|
|
Description: A heap buffer overflow exists in WebKit's handling
of JavaScript regular expressions. The issue may be triggered via JavaScript
when processing regular expressions with large, nested repetition counts.
This may lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue by performing additional
validation of JavaScript regular expressions. Credit to Charlie Miller of
Independent Security Evaluators for reporting this issue. |
|
| |
|
|
|
|
|
|
|
|
|
|
| WebKit |
|
Safari |
|
|
|
MPEG-4
Video Codec |
|
|
|
|
| CVE-ID: CVE-2010-1764 |
|
CVE-ID:
CVE-2009-1723 |
|
|
|
CVE-ID: CVE-2009-0959 |
|
|
|
|
| Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
| Impact: Visiting a website that redirects form submissions may
lead to an information disclosure |
|
Impact: A
maliciously crafted website may control the displayed website URL while a
certificate warning is displayed |
|
|
|
Impact: Viewing a maliciously crafted MPEG-4 video file may lead
to an unexpected device reset |
|
|
|
|
| Description: A design issue exists in WebKit's handling of
HTTP redirects. When a form submission is redirected to a website that also
does a redirection, the information contained in the submitted form may be
sent to the third site. This issue is addressed through improved handling of
HTTP redirects. Credit to Marc Worrell of WhatWebWhat for reporting this
issue. |
|
Description:
When Safari reaches a website via a 302 redirection and a certificate warning
is displayed, the URL bar will contain the original website URL instead of
the current website URL. This may allow a maliciously crafted website that is
reached via an open redirector on a user-trusted website to control the
displayed website URL while a certificate warning is displayed. This issue is
addressed by returning the correct URL in the underlying CFNetwork layer.
Credit to Kevin Day of Your.Org, and Jason Mueller of Indiana University for
reporting this issue. |
|
|
|
Description: An input validation issue exists in the handling of
MPEG-4 video files. Viewing a maliciously crafted MPEG-4 video file may lead
to an unexpected device reset. This update addresses the issue through
improved handling of MPEG-4 video files. Credit to Si Brindley for reporting
this issue. |
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| WebKit |
|
Settings |
|
|
|
Profiles |
|
|
|
|
| CVE-ID: CVE-2010-1782 |
|
CVE-ID:
CVE-2010-1756 |
|
|
|
CVE-ID: CVE-2009-1679 |
|
|
|
|
| Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
| Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution |
|
Impact: A
user may be misled as to the actual operational wireless network |
|
|
|
Impact: Installing a configuration profile may weaken the
passcode policy defined by Exchange ActiveSync |
|
|
|
|
| Description: A memory corruption issue exists in WebKit's
rendering of inline elements. Visiting a maliciously crafted website may lead
to an unexpected application termination or arbitrary code execution. This
issue is addressed through improved bounds checking. Credit to wushi of
team509 for reporting this issue. |
|
Description:
A design issue exists in the Settings application. When connected a hidden
wireless network, the Settings application may incorrectly indicate another
wireless network. This issue is addressed by properly displaying the active
wireless network. Credit to Wilfried Teiken for reporting this issue. |
|
|
|
Description: An issue in the handling of configuration profiles
may allow a weaker passcode policy to overwrite the passcode policy already
set via Exchange ActiveSync. This may allow a person with physical access to
the device to bypass the passcode policy set via Exchange ActiveSync. This
update addresses the issue through improved handling of configuration
profiles. |
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| WebKit |
|
WebKit |
|
|
|
Safari |
|
|
|
|
| CVE-ID: CVE-2010-1781 |
|
CVE-ID:
CVE-2009-2195 |
|
|
|
CVE-ID: CVE-2009-1680 |
|
|
|
|
| Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
| Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
|
|
Impact: Clearing Safari's history via the Settings application
does not prevent disclosure of the search history to a person with physical
access to the device |
|
|
|
|
| Description: A double free issue exists in WebKit's
rendering of inline elements. Visiting a maliciously crafted website may lead
to an unexpected application termination or arbitrary code execution. This
issue is addressed through improved memory management. Credit to James
Robinson of Google, Inc. for reporting this issue. |
|
Description:
A buffer overflow exists in WebKit's parsing of floating point numbers.
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution. The issue is addressed through
improved bounds checking. Credit: Apple. |
|
|
|
Description: Clearing Safari's history via the Settings
application does not reset the search history. In this case, another person
with physical access to the device may be able to view the search history.
This update addresses the issue by removing the search history when Safari's
history is cleared via the Settings application. Credit to Joshua Belsky for
reporting this issue. |
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| WebKit |
|
WebKit |
|
|
|
Safari |
|
|
|
|
| CVE-ID: CVE-2010-1784 |
|
CVE-ID:
CVE-2009-2816 |
|
|
|
CVE-ID: CVE-2009-1681 |
|
|
|
|
| Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
| Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution |
|
Impact:
Visiting a maliciously crafted website may result in unexpected actions on
other websites |
|
|
|
Impact: Interacting with a maliciously crafted website may
result in unexpected actions on other sites |
|
|
|
|
| Description: A memory corruption issue exists in WebKit's
handling of CSS counters. Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution. This issue
is addressed through improved memory management. Credit to wushi of team509,
working with TippingPoint's Zero Day Initiative for reporting this issue. |
|
Description:
An issue exists in WebKit's implementation of Cross-Origin Resource Sharing.
Before allowing a page from one origin to access a resource in another
origin, WebKit sends a preflight request to the latter server for access to
the resource. WebKit includes custom HTTP headers specified by the requesting
page in the preflight request. This can facilitate cross-site request
forgery. This issue is addressed by removing custom HTTP headers from
preflight requests. Credit: Apple. |
|
|
|
Description: A design issue exists in the same-origin policy
mechanism used to limit interactions between websites. This policy allows
websites to load pages from third-party websites into a subframe. This frame
may be positioned to entice the user to click a particular element within the
frame, an attack referred to as "clickjacking". A maliciously
crafted website may be able to manipulate a user into taking an unexpected
action, such as initiating a purchase. This update addresses the issue through
adoption of the industry-standard 'X-Frame-Options' extension header, that
allows individual web pages to opt out of being displayed within a subframe. |
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| WebKit |
|
WebKit |
|
|
|
Telephony |
|
|
|
|
| CVE-ID: CVE-2010-1787 |
|
CVE-ID:
CVE-2010-0544 |
|
|
|
CVE-ID: CVE-2009-1683 |
|
|
|
|
| Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
| Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution |
|
Impact:
Visiting a maliciously crafted website may result in a cross-site scripting
attack |
|
|
|
Impact: A remote attacker may cause an unexpected device reset |
|
|
|
|
| Description: A memory corruption issue exists in WebKit's
handling of floating elements in SVG documents. Visiting a maliciously
crafted website may lead to an unexpected application termination or
arbitrary code execution. This issue is addressed through improved memory
management. |
|
Description:
An issue in Webkit's handling of malformed URLs may result in a cross-site
scripting attack when visiting a maliciously crafted website. This issue is
addressed through improved handling of URLs. Credit to Michal Zalewski of
Google, Inc. for reporting this issue. |
|
|
|
Description: A logic issue in the handling of ICMP echo request
packets may cause an assertion to be triggered. By sending a maliciously
crafted ICMP echo request packet, a remote attacker may be able to cause an
unexpected device reset. This update addresses the issue by removing the
assertion. Credit to Masaki Yoshida for reporting this issue. |
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| WebKit |
|
WebKit |
|
|
|
WebKit |
|
|
|
|
| CVE-ID: CVE-2010-1791 |
|
CVE-ID:
CVE-2010-1395 |
|
|
|
CVE-ID: CVE-2008-2320 |
|
|
|
|
| Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
| Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution |
|
Impact:
Visiting a malicious site may lead to a cross-site scripting attack |
|
|
|
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution |
|
|
|
|
| Description: A signedness issue exists in WebKit's handling
of JavaScript arrays. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This issue is
addressed through improved handling of JavaScript array indices. Credit to
Natalie Silvanovich for reporting this issue. |
|
Description:
A scope management issue exists in WebKit's handling of event objects.
Visiting a malicious site may lead to a cross-site scripting attack. This
issue is addressed through improved handling of event objects. Credit to
Gianni "gf3" Chiappetta of Runlevel6 for reporting this issue. |
|
|
|
Description: A memory corruption issue exists in WebKit's
handling of invalid color strings in Cascading Style Sheets. Visiting a
maliciously crafted website may lead to an unexpected application termination
or arbitrary code execution. This update addresses the issue through improved
sanitization of color strings. Credit to Thomas Raffetseder of the
International Secure Systems Lab for reporting this issue. |
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| WebKit |
|
WebKit |
|
|
|
WebKit |
|
|
|
|
| CVE-ID: CVE-2010-1788 |
|
CVE-ID:
CVE-2010-0051 |
|
|
|
CVE-ID: CVE-2009-0945 |
|
|
|
|
| Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
| Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution |
|
Impact:
Visiting a maliciously crafted website may lead to the disclosure of
sensitive information |
|
|
|
Impact: Visiting a maliciously crafted website may lead to
arbitrary code execution |
|
|
|
|
| Description: A memory corruption issue exists in WebKit's
handling of "use" elements in SVG documents. Visiting a maliciously
crafted website may lead to an unexpected application termination or
arbitrary code execution. This issue is addressed through improved handling
of "use" elements in SVG documents. Credit to Justin Schuh of
Google, Inc. for reporting this issue. |
|
Description:
An implementation issue exists in WebKit's handling of cross-origin
stylesheet requests. Visiting a maliciously crafted website may disclose the
content of protected resources on another website. This issue is addressed by
performing additional validation on stylesheets that are loaded during a
cross-origin request. |
|
|
|
Description: A memory corruption issue exists in WebKit's
handling of SVGList objects. Visiting a maliciously crafted website may lead
to arbitrary code execution. This update addresses the issue through improved
bounds checking. Credit to Nils working with TippingPoint's Zero Day
Initiative for reporting this issue. |
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| WebKit |
|
WebKit |
|
|
|
WebKit |
|
|
|
|
| CVE-ID: CVE-2010-1812 |
|
CVE-ID:
CVE-2010-1390 |
|
|
|
CVE-ID: CVE-2009-1684 |
|
|
|
|
| Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
| Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution |
|
Impact:
Visiting a website using UTF-7 encoding may lead to a cross-site scripting
attack |
|
|
|
Impact: Visiting a maliciously crafted website may result in
cross-site scripting |
|
|
|
|
| Description: A use after free issue exists in WebKit's
handling of selections. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This issue is
addressed through improved handling of selections. Credit to Ojan Vafai of
Google, Inc. for reporting this issue. |
|
Description:
A canonicalization issue exists in WebKit's handling of UTF-7 encoded text.
An HTML quoted string may be left unterminated, leading to a cross-site
scripting attack or other issues. This issue is addressed by removing support
for UTF-7 encoding in WebKit. Credit to Masahiro Yamada for reporting this
issue. |
|
|
|
Description: A cross-site scripting issue exists in the
separation of JavaScript contexts. A maliciously crafted web page may use an
event handler to execute a script in the security context of the next web
page that is loaded in its window or frame. This update addresses the issue
by ensuring that event handlers are not able to directly affect an
in-progress page transition. Credit to Michal Zalewski of Google Inc. for
reporting this issue. |
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| WebKit |
|
WebKit |
|
|
|
WebKit |
|
|
|
|
| CVE-ID: CVE-2010-1813 |
|
CVE-ID:
CVE-2010-0047 |
|
|
|
CVE-ID: CVE-2009-1685 |
|
|
|
|
| Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
| Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
|
|
Impact: Visiting a maliciously crafted website may result in
cross-site scripting |
|
|
|
|
| Description: A memory corruption issue exists in WebKit's
rendering of HTML object outlines. Visiting a maliciously crafted website may
lead to an unexpected application termination or arbitrary code execution.
This issue is addressed through improved memory management. Credit to Jose A.
Vazquez of spa-s3c.blogspot.com for reporting this issue. |
|
Description:
A use-after-free issue exists in the handling of HTML object element fallback
content. Visiting a maliciously crafted website may lead to an unexpected
application termination or arbitrary code execution. This issue is addressed
through improved memory reference tracking. Credit to wushi of team509,
working with TippingPoint's Zero Day Initiative for reporting this issue. |
|
|
|
Description: A cross-site scripting issue exists in the
separation of JavaScript contexts. By enticing a user to visit a maliciously
crafted web page, the attacker may overwrite the 'document.implementation' of
an embedded or parent document served from a different security zone. This
update addresses the issue by ensuring that changes to
'document.implementation' do not affect other documents. Credit to Dean
McNamee of Google Inc. for reporting this issue. |
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| WebKit |
|
WebKit |
|
|
|
WebKit |
|
|
|
|
| CVE-ID: CVE-2010-1814 |
|
CVE-ID:
CVE-2010-0053 |
|
|
|
CVE-ID: CVE-2009-1686 |
|
|
|
|
| Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
| Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
|
|
Impact: Visiting a maliciously crafted website may lead to
arbitrary code execution |
|
|
|
|
| Description: A memory corruption issue exists in WebKit's
handling of form menus. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This issue is
fixed through improved handling of form menus. Credit to Csaba Osztrogonac of
University of Szeged for reporting this issue. |
|
Description:
A use-after-free issue exists in the rendering of content with a CSS display
property set to 'run-in'. Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution. This issue
is addressed through improved memory reference tracking. Credit to wushi of
team509, working with TippingPoint's Zero Day Initiative for reporting this
issue. |
|
|
|
Description: A type conversion issue exists in WebKit's
JavaScript exception handling. When an attempt is made to assign the
exception to a variable that is declared as a constant, an object is cast to
an invalid type, causing memory corruption. Visiting a maliciously crafted
website may lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue by ensuring that assignment in a
const declaration writes to the variable object. Credit to Jesse Ruderman of
Mozilla Corporation for reporting this issue. |
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| WebKit |
|
WebKit |
|
|
|
WebKit |
|
|
|
|
| CVE-ID: CVE-2010-1815 |
|
CVE-ID:
CVE-2010-0050 |
|
|
|
CVE-ID: CVE-2009-1687 |
|
|
|
|
| Available for: iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
| Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
|
|
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution |
|
|
|
|
| Description: A use after free issue exists in WebKit's
handling of scrollbars. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This issue is
addressed through improved memory management. Credit to Tony Chang of Google,
Inc for reporting this issue. |
|
Description:
A use-after-free issue exists in WebKit's handling of incorrectly nested HTML
tags. Visiting a maliciously crafted website may lead to an unexpected
application termination or arbitrary code execution. This issue is addressed
through improved memory reference tracking. Credit to wushi&Z of team509
working with TippingPoint's Zero Day Initiative for reporting this issue. |
|
|
|
Description: A memory corruption issue exists in WebKit's
JavaScript garbage collector implementation. If an allocation fails, a memory
write to an offset of a NULL pointer may result, leading to an unexpected
application termination or arbitrary code execution. This update addresses
the issue by checking for allocation failure. Credit to SkyLined of Google
Inc. for reporting this issue. |
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
WebKit |
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1406 |
|
|
|
CVE-ID: CVE-2009-1688, CVE-2009-1689 |
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
| |
|
Impact:
Visiting an HTTPS site which redirects to an HTTP site may lead to an
information disclosure |
|
|
|
Impact: Visiting a maliciously crafted website may result in a
cross-site scripting attack |
|
|
|
|
| |
|
Description:
When WebKit is redirected from an HTTPS site to an HTTP site, the Referer
header is passed to the HTTP site. This can lead to the disclosure of
sensitive information contained in the URL of the HTTPS site. This issue is
addressed by not passing the Referer header when an HTTPS site redirects to
an HTTP site. Credit to Colin Percival of Tarsnap for reporting this issue. |
|
|
|
Description: Multiple issues in WebKit's handling of javascript
objects may lead to a cross-site scripting attack. This update addresses the
issues through improved handling of cross-site interaction with javascript
objects. Credit to Adam Barth of UC Berkeley, and Collin Jackson of Stanford
University for reporting these issues. |
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
WebKit |
|
|
|
|
| |
|
CVE-ID:
CVE-2010-0048 |
|
|
|
CVE-ID: CVE-2009-1690 |
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
|
|
Impact: Visiting a maliciously crafted website may result in an
unexpected application termination or arbitrary code execution |
|
|
|
|
| |
|
Description:
A use-after-free issue exists in WebKit's parsing of XML documents. Visiting
a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution. This issue is addressed through
improved memory reference tracking. |
|
|
|
Description: A memory corruption issue exists in WebKit's
handling of recursion in certain DOM event handlers. Visiting a maliciously
crafted website may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issue through improved
memory management. Credit to SkyLined of Google Inc. for reporting this
issue. |
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
WebKit |
|
|
|
|
| |
|
CVE-ID:
CVE-2010-0046 |
|
|
|
CVE-ID: CVE-2009-1691 |
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
|
|
Impact: Visiting a maliciously crafted website may lead to
cross-site scripting |
|
|
|
|
| |
|
Description:
A memory corruption issue exists in WebKit's handling of CSS format()
arguments. Visiting a maliciously crafted website may lead to an unexpected
application termination or arbitrary code execution. This issue is addressed
through improved handling of CSS format() arguments. Credit to Robert Swiecki
of Google Inc. for reporting this issue. |
|
|
|
Description: A cross-site scripting issue in Safari allows a
maliciously crafted website to alter standard JavaScript prototypes of
websites served from a different domain. By enticing a user to visit a
maliciously crafted web page, an attacker may be able to alter the execution
of JavaScript served from other websites. This update addresses the issue
through improved access controls on these prototypes. |
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
WebKit |
|
|
|
|
| |
|
CVE-ID:
CVE-2010-0052 |
|
|
|
CVE-ID: CVE-2009-1692 |
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
|
|
Impact: Visiting a maliciously crafted website may lead to an
unexpected device reset |
|
|
|
|
| |
|
Description:
A use-after-free issue exists in WebKit's handling of callbacks for HTML
elements. Visiting a maliciously crafted website may lead to an unexpected
application termination or arbitrary code execution. This issue is addressed
through improved memory reference tracking. Credit: Apple. |
|
|
|
Description: A memory consumption issue exists in the handling
of HTMLSelectElement objects. Visiting a maliciously crafted webpage
containing an HTMLSelectElement with a very large length attribute may lead
to an unexpected device reset. This update addresses the issue through
improved handling of HTMLSelectElement objects. Credit to Thierry Zoller of
G-SEC (www.g-sec.lu) for reporting this issue. |
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
WebKit |
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1397 |
|
|
|
CVE-ID: CVE-2009-1693 |
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
|
|
Impact: Visiting a maliciously crafted website may disclose
images from other sites |
|
|
|
|
| |
|
Description:
A use after free issue exists in WebKit's rendering of a selection when the
layout changes. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This issue is
addressed through improved handling of selections. Credit to wushi&Z of
team509, working with TippingPoint's Zero Day Initiative for reporting this
issue. |
|
|
|
Description: A cross-site image capture issue exists in WebKit.
By using a canvas with an SVG image, a maliciously crafted website may load
and capture an image from another website. This update addresses the issue by
restricting the reading of canvases that have images loaded from other
websites. Credit to Chris Evans of Google Inc. for reporting this issue. |
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
WebKit |
|
|
|
|
| |
|
CVE-ID:
CVE-2010-0049 |
|
|
|
CVE-ID: CVE-2009-1694 |
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
|
|
Impact: Visiting a maliciously crafted website may disclose
images from other sites |
|
|
|
|
| |
|
Description:
A use-after-free issue exists in the handling of HTML elements containing
right-to-left displayed text. Visiting a maliciously crafted website may lead
to an unexpected application termination or arbitrary code execution. This
issue is addressed through improved memory reference tracking. Credit to
wushi&Z of team509 for reporting this issue. |
|
|
|
Description: A cross-site image capture issue exists in WebKit.
By using a canvas and a redirect, a maliciously crafted website may load and
capture an image from another website. This update addresses the issue
through improving the handling of redirects. Credit to Chris Evans of for
reporting this issue. |
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
WebKit |
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1393 |
|
|
|
CVE-ID: CVE-2009-1695 |
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may lead to an information disclosure |
|
|
|
Impact: Visiting a maliciously crafted website may result in a
cross-site scripting attack |
|
|
|
|
| |
|
Description:
An information disclosure issue exists in WebKit's handling of Cascading
Stylesheets. If a stylesheet's HREF attribute is set to a URL that causes a
redirection, scripts on the page may be able to access the redirected URL.
Visiting a maliciously crafted website may lead to the disclosure of
sensitive URLs on another site. This issue is addressed by returning the
original URL to scripts, rather than the redirected URL. |
|
|
|
Description: An issue in WebKit allows the contents of a frame
to be accessed by an HTML document after a page transition has taken place.
This may allow a maliciously crafted website to perform a cross-site
scripting attack. This update addresses the issue through an improved domain
check. Credit to Feng Qian of Google Inc. for reporting this issue. |
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
WebKit |
|
|
|
|
| |
|
CVE-ID:
CVE-2010-0054 |
|
|
|
CVE-ID: CVE-2009-1696 |
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
|
|
Impact: Websites may surreptitiously track users |
|
|
|
|
| |
|
Description:
A use-after-free issue exists in WebKit's handling of HTML image elements.
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution. This issue is addressed through
improved memory reference tracking. Credit: Apple. |
|
|
|
Description: Safari generates random numbers for JavaScript
applications using a predictable algorithm. This could allow a website to
track a particular Safari session without using cookies, hidden form
elements, IP addresses, or other techniques. This update addresses the issue
by using a better random number generator. Credit to Amit Klein of Trusteer
for reporting this issue. |
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
WebKit |
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1119 |
|
|
|
CVE-ID: CVE-2009-1697 |
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
|
|
Impact: Visiting a maliciously crafted website may result in a
cross-site scripting attack |
|
|
|
|
| |
|
Description:
A use after free issue exists in WebKit's handling of attribute manipulation.
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution. This issue is addressed through
improved memory reference tracking. Credit to Vincenzo Iozzo and Ralf Philipp
Weinmann working with TippingPoint's Zero Day Initiative, and Michal Zalewski
of Google, Inc., for reporting this issue. |
|
|
|
Description: A CRLF injection issue exists in the handling of
XMLHttpRequest headers in WebKit. This may allow a malicious website to
bypass the same-origin policy by issuing an XMLHttpRequest that does not
contain a Host header. XMLHttpRequests without a Host header may reach other
websites on the same server, and allow attacker-supplied JavaScript to
interact with those sites. This update addresses the issue through improved
handling of XMLHttpRequest headers. Credit to Per von Zweigbergk for reporting
this issue. |
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
WebKit |
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1387 |
|
|
|
CVE-ID: CVE-2009-1698 |
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
|
|
Impact: Viewing a maliciously crafted web page may lead to an
unexpected application termination or arbitrary code execution |
|
|
|
|
| |
|
Description:
A use after free issue exists in JavaScriptCore during page transitions.
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution. This issue is addressed through
improved memory management. |
|
|
|
Description: An uninitialized pointer issue exists in the
handling of the CSS 'attr' function. Viewing a maliciously crafted web page
may lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue through additional validation of
CSS elements. Credit to Thierry Zoller working with TippingPoint's Zero Day
Initiative, and Robert Swiecki of the Google Security Team for reporting this
as a security issue. |
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
WebKit |
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1400 |
|
|
|
CVE-ID: CVE-2009-1699 |
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
|
|
Impact: Visiting a maliciously crafted website may result in an
information disclosure |
|
|
|
|
| |
|
Description:
A use after free issue exists in WebKit's handling of caption elements.
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution. This issue is addressed through
improved handling of caption elements. Credit to regenrecht working with
iDefense for reporting this issue. |
|
|
|
Description: An XML External Entity issue exists in WebKit's
handling of XML. Visiting a maliciously crafted website may result in the
website being able to read files from the user's system. This update
addresses the issue by not loading external entities across origins. Credit
to Chris Evans of Google Inc. for reporting this issue. |
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
WebKit |
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1409 |
|
|
|
CVE-ID: CVE-2009-1700 |
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may allow remotely specified data to
be sent to an IRC server |
|
|
|
Impact: Visiting a maliciously crafted website may result in the
disclosure of sensitive information |
|
|
|
|
| |
|
Description:
Common IRC service ports are not included in WebKit's port blacklist.
Visiting a maliciously crafted website may allow remotely specified data to
be sent to an IRC server. This may cause the server to take unintended
actions on the user's behalf. This issue is addressed by adding the affected
ports to WebKit's port blacklist. |
|
|
|
Description: WebKit does not properly handle redirects when
processing Extensible Stylesheet Language Transformations (XSLT). This allows
a maliciously crafted website to retrieve XML content from pages on other
websites, which could result in the disclosure of sensitive information. This
update addresses the issue by ensuring that documents referenced in
transformations are downloaded from the same domain as the transformation
itself. Credit to Chris Evans of Google Inc. for reporting this issue. |
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
WebKit |
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1398 |
|
|
|
CVE-ID: CVE-2009-1701 |
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
|
|
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution |
|
|
|
|
| |
|
Description:
A memory corruption issue exists in WebKit's handling of ordered list
insertions. Visiting a maliciously crafted website may lead to an unexpected
application termination or arbitrary code execution. This issue is addressed
through improved handling of list insertions. Credit to wushi of team509,
working with TippingPoint's Zero Day Initiative for reporting this issue. |
|
|
|
Description: A use-after-free issue exists in WebKit's handling
of the JavaScript DOM. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This update
addresses the issue through improved handling of document elements. Credit to
wushi & ling of team509 working with TippingPoint's Zero Day Initiative
for reporting this issue. |
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
WebKit |
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1402 |
|
|
|
CVE-ID: CVE-2009-1702 |
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod
touch 1.1 through 2.2.1 |
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
|
|
Impact: Visiting a malicious website may lead to a cross-site
scripting attack |
|
|
|
|
| |
|
Description:
A double free issue exists in WebKit's handling of event listeners in SVG
images. Visiting a maliciously crafted website may lead to an unexpected
application termination or arbitrary code execution. This issue is addressed
through improved handling of SVG images. Credit to wushi of team509, working
with TippingPoint's Zero Day Initiative for reporting this issue. |
|
|
|
Description: An issue in WebKit's handling of Location and
History objects may result in a cross-site scripting attack when visiting a
malicious website. This update addresses the issue through improved handling
of Location and History objects. Credit to Adam Barth and Joel Weinberger of
UC Berkeley for reporting this issue. |
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
|
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1394 |
|
|
|
|
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may lead to a cross-site scripting
attack |
|
|
|
|
|
|
|
|
| |
|
Description:
A design issue exists in WebKit's handling of HTML document fragments. The
contents of HTML document fragments are processed before a fragment is
actually added to a document. Visiting a maliciously crafted website could
lead to a cross-site scripting attack if a legitimate website attempts to
manipulate a document fragment containing untrusted data. This issue is
addressed by ensuring that initial fragment parsing has no side effects on
the document that created the fragment. Credit to Eduardo Vela Nava
(sirdarckcat) of Google Inc. for reporting this issue. |
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
|
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1399 |
|
|
|
|
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
|
|
|
|
|
|
|
| |
|
Description:
An uninitialized memory access issue exists in WebKit's handling of selection
changes on form input elements. Visiting a maliciously crafted website may
lead to an unexpected application termination or arbitrary code execution.
This issue is addressed through improved handling of selections. Credit to
wushi of team509, working with TippingPoint's Zero Day Initiative for
reporting this issue. |
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
|
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1396 |
|
|
|
|
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
|
|
|
|
|
|
|
| |
|
Description:
A use after free issue exists in WebKit's handling of the removal of
container elements. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This issue is
addressed through improved memory reference tracking. Credit to wushi of
team509, working with TippingPoint's Zero Day Initiative for reporting this
issue. |
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
|
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1401 |
|
|
|
|
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
|
|
|
|
|
|
|
| |
|
Description:
A use after free issue exists in WebKit's handling of the ':first-letter'
pseudo-element in cascading stylesheets. Visiting a maliciously crafted
website may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved handling of the
':first-letter' pseudo-element. Credit to wushi of team509, working with
TippingPoint's Zero Day Initiative for reporting this issue. |
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
|
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1403 |
|
|
|
|
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
|
|
|
|
|
|
|
| |
|
Description:
An uninitialized memory access issue exists in WebKit's handling of malformed
XML when rendering SVG images. Visiting a maliciously crafted website may
lead to an unexpected application termination or arbitrary code execution.
This issue is addressed through improved handling of SVG images. Credit to
wushi of team509, working with TippingPoint's Zero Day Initiative, for
reporting this issue. |
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
|
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1404 |
|
|
|
|
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
|
|
|
|
|
|
|
| |
|
Description:
A use after free issue exists in WebKit's handling of SVG images with
multiple 'use' elements. Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution. This issue
is addressed through improved handling of 'use' elements in SVG images.
Credit to wushi of team509, working with TippingPoint's Zero Day Initiative
for reporting this issue. |
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
|
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1410 |
|
|
|
|
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
|
|
|
|
|
|
|
| |
|
Description:
A memory corruption issue exists in WebKit's handling of malformed XML in SVG
images. Visiting a maliciously crafted website may lead to an unexpected
application termination or arbitrary code execution. This issue is addressed
through improved handling of XML in SVG images. Credit to Aki Helin of OUSPG
for reporting this issue. |
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
|
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1391 |
|
|
|
|
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may cause files to be created in
arbitrary user-writable locations |
|
|
|
|
|
|
|
|
| |
|
Description:
A path traversal issue exists in WebKit's support for Local Storage and Web
SQL databases. If accessed from an application-defined scheme containing
'%2f' (/) or '%5c' (\) and '..' in the host section of the URL, a maliciously
crafted website may cause database files to be created outside of the
designated directory. This issue is addressed by encoding characters that may
have special meaning in pathnames. This issue does not affect sites served
from http: or https: schemes. Credit: Apple. |
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
|
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1408 |
|
|
|
|
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may result in sending remotely
specified data to arbitrary TCP ports |
|
|
|
|
|
|
|
|
| |
|
Description:
An integer truncation issue exists in WebKit's handling of requests to
non-default TCP ports. Visiting a maliciously crafted website may result in
sending remotely specified data to arbitrary TCP ports. This issue is
addressed by ensuring that port numbers are within the valid range. |
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
|
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1392 |
|
|
|
|
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
|
|
|
|
|
|
|
| |
|
Description:
A use after free issue exists in WebKit's rendering of HTML buttons. Visiting
a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution. This issue is addressed through
improved memory management. Credit to Matthieu Bonetti of VUPEN Vulnerability
Research Team for reporting this issue. |
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
|
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1405 |
|
|
|
|
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
|
|
|
|
|
|
|
| |
|
Description:
A use after free issue exists in WebKit's handling of HTML elements with
custom vertical positioning. Visiting a maliciously crafted website may lead
to an unexpected application termination or arbitrary code execution. This
issue is addressed through improved memory reference tracking. Credit to Ojan
Vafai of Google Inc. for reporting this issue. |
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
|
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1407 |
|
|
|
|
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may result in an information
disclosure |
|
|
|
|
|
|
|
|
| |
|
Description:
An information disclosure issue exists in WebKit's handling of the
'history.replaceState' method. Within an iframe, calls to replaceState affect
the parent frame even if the parent is in a separate origin. Visiting a
maliciously crafted website may result in an information disclosure. This
issue is addressed by restricting the operation of replaceState calls to the
current frame. Credit to Darin Fisher of Google Inc. for reporting this
issue. |
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
|
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1757 |
|
|
|
|
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
| |
|
Impact:
Websites with embedded iframe elements may be vulnerable to user interface
spoofing |
|
|
|
|
|
|
|
|
| |
|
Description:
Safari allows an iframe element to display content outside its boundaries,
which may lead to user interface spoofing. This issue is addressed by not
allowing iframe elements to display content outside their boundaries. Credit
to Wayne Pan of AdMob, Inc. for reporting this issue. |
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
|
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1413 |
|
|
|
|
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
| |
|
Impact: A
user's NTLM credentials may be exposed to a man in the middle attacker |
|
|
|
|
|
|
|
|
| |
|
Description:
In certain circumstances, WebKit may send NTLM credentials in plain text.
This would allow a man in the middle attacker to view the NTLM credentials.
This issue is addressed through improved handling of NTLM credentials.
Credit: Apple. |
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
|
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1389 |
|
|
|
|
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
| |
|
Impact:
Dragging or pasting a selection may lead to a cross-site scripting attack |
|
|
|
|
|
|
|
|
| |
|
Description:
Dragging or pasting a selection from one site to another may allow scripts
contained in the selection to be executed in the context of the new site.
This issue is addressed through additional validation of content before a
paste or a drag and drop operation. Credit to Paul Stone of Context
Information Security for reporting this issue. |
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
|
|
|
|
|
| |
|
CVE-ID:
CVE-2010-0544 |
|
|
|
|
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may result in a cross-site scripting
attack |
|
|
|
|
|
|
|
|
| |
|
Description:
An issue in Webkit's handling of malformed URLs may result in a cross-site
scripting attack when visiting a maliciously crafted website. This issue is
addressed through improved handling of URLs. Credit to Michal Zalewski of
Google, Inc. for reporting this issue. |
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
|
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1417 |
|
|
|
|
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
|
|
|
|
|
|
|
| |
|
Description:
A memory corruption issue exists in WebKit's rendering of CSS-styled HTML
content with multiple :after pseudo-selectors. Visiting a maliciously crafted
website may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved rendering of HTML
content. Credit to wushi of team509 for reporting this issue. |
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
|
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1414 |
|
|
|
|
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
|
|
|
|
|
|
|
| |
|
Description:
A use after free issue exists in WebKit's handling of the removeChild DOM
method. Visiting a maliciously crafted website may lead to an unexpected
application termination or arbitrary code execution. This issue is addressed
through improved handling of child element removal. Credit to Mark Dowd of
Azimuth Security for reporting this issue. |
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
|
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1418 |
|
|
|
|
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may lead to a cross-site scripting
attack |
|
|
|
|
|
|
|
|
| |
|
Description:
An input validation issue exists in WebKit's handling of the src attribute of
the frame element. An attribute with a javascript scheme and leading spaces
is considered valid. Visiting a maliciously crafted website could lead to a
cross-site scripting attack. This update addresses the issue by properly
validating frame.src before the URL is dereferenced. Credit to Sergey
Glazunov for reporting this issue. |
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
|
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1416 |
|
|
|
|
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may disclose images from other sites |
|
|
|
|
|
|
|
|
| |
|
Description:
A cross-site image capture issue exists in WebKit. By using a canvas with an
SVG image pattern, a maliciously crafted website may load and capture an
image from another website. This issue is addressed by restricting the
reading of canvases that contain patterns loaded from other websites. Credit
to Chris Evans of Google Inc. for reporting this issue. |
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
|
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1415 |
|
|
|
|
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
|
|
|
|
|
|
|
| |
|
Description:
An API abuse issue exists in WebKit's handling of libxml contexts. Visiting a
maliciously crafted website may lead to an unexpected application termination
or arbitrary code execution. This issue is addressed through improved
handling of libxml context objects. Credit to Aki Helin of OUSPG for
reporting this issue. |
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
|
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1758 |
|
|
|
|
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
|
|
|
|
|
|
|
| |
|
Description:
A use after free issue exists in WebKit's handling of DOM Range objects.
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution. This issue is addressed through
improved handling of DOM Range objects. Credit to Yaar Schnitman of Google
Inc. for reporting this issue. |
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
|
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1759 |
|
|
|
|
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
|
|
|
|
|
|
|
| |
|
Description:
A use after free issue exists in WebKit's handling of the Node.normalize
method. Visiting a maliciously crafted website may lead to an unexpected
application termination or arbitrary code execution. This issue is addressed
through improved handling of the Node.normalize method. Credit to Mark Dowd
for reporting this issue. |
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
|
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1761 |
|
|
|
|
|
|
|
|
| |
|
Available
for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X
Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later,
Windows 7, Vista, XP SP2 or later |
|
|
|
|
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
|
|
|
|
|
|
|
| |
|
Description:
A use after free issue exists in WebKit�s rendering of HTML document
subtrees. Visiting a maliciously crafted website may lead to an unexpected
application termination or arbitrary code execution. This issue is addressed
through improved rendering of HTML document subtrees. Credit to James
Robinson of Google Inc. for reporting this issue. |
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
|
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1762 |
|
|
|
|
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may lead to a cross-site scripting
attack |
|
|
|
|
|
|
|
|
| |
|
Description:
A design issue exists in the handling of HTML contained in textarea elements.
Visiting a maliciously crafted website may lead to a cross-site scripting
attack. This issue is addressed through improved validation of textarea
elements. Credit to Eduardo Vela Nava (sirdarckcat) of Google Inc. for
reporting this issue. |
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
|
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1769 |
|
|
|
|
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
|
|
|
|
|
|
|
| |
|
Description:
An out of bounds memory access issue exists in WebKit's handling of tables.
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution. This issue is addressed through
improved bounds checking. Credit to wushi of team509 for reporting this
issue. |
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
WebKit |
|
|
|
|
|
|
|
|
| |
|
CVE-ID:
CVE-2010-1774 |
|
|
|
|
|
|
|
|
| |
|
Available
for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1 through 3.1.3 for
iPod touch (2nd generation) and later |
|
|
|
|
|
|
|
|
| |
|
Impact:
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution |
|
|
|
|
|
|
|
|
| |
|
Description:
An out of bounds memory access issue exists in WebKit's handling of HTML
tables. Visiting a maliciously crafted website may lead to an unexpected
application termination or arbitrary code execution. This issue is addressed
through improved bounds checking. Credit to wushi of team509 for reporting
this issue. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|