Apple plugs remote-code execution flaws in iPhone

Powered by SC Magazine

Exchange issues, exposed passwords and much more.

Apple has plugged several security holes in its iPhone and iPod Touch OS, one of which could allow criminals to take over a vulnerable device by injecting and executing malicious code on the device if the victim visits a malicious website.

According to an Apple security advisory, the updated version of its mobile operating system (3.1 for iPhone and 3.1.1 for iPod Touch), fixes numerous holes that could open users to a variety of attacks, both remotely and by malicious users with physical access to a vulnerable device.

The most dangerous flaw (CVE-2009-1725) was present in all previous versions of the mobile OS and could "lead to an unexpected application termination or arbitrary code execution" if the user visits a maliciously crafted website. A similar flaw (CVE-2009-1724) could allow a cross-site scripting attack if the user visits a malicious website.

Phishing attacks could be enhanced by exploiting a vulnerability (CVE-2009-2199) that allows fraudsters to create copycat web sites in order to extract personal information from unsuspecting users.

According to the advisory, "The International Domain Name (IDN) support and Unicode fonts embedded in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious website to direct the user to a spoofed site that visually appears to be a legitimate domain."

A buffer overflow error (CVE-2009-2206) opens users to remote code execution when the device opens a specially crafted MP3 or AAC file.

Users who connect to a Microsoft Exchange server via their iPhone or iPod Touch are also affected by a flaw labelled CVE-2009-2794. Apple warns that if the device falls into the wrong hands, it would be possible to access an exchange server even if the timeout period set by the Exchange administrator has expired.

According to Apple, once the timeout period has expired, users are required to re-enter their password. However, exploitation of the flaw creates "a window of time for a person with physical access to use the device, including Exchange services."

Other vulnerabilities include one that exposes hidden passwords (CVE-2009-2796), and one that allows access an iPhone even if it is locked (CVE-2009-2795). A flaw in MobileMail means emails that were deleted could still appear in a Spotlight search(CVE-2009-2207). Apple also fixed an issue that revealed usernames and passwords in URLs (CVE-2009-2797).

Apple was unavailable for comment.

Apple plugs remote-code execution flaws in iPhone
Top Stories
Myer CIO named retailer's new chief executive
Richard Umbers to lead data-driven retail strategy.
Empty terminals and mountains of data
Qantas CIO Luc Hennekens says no-one is safe from digital disruption.
BoQ takes $10m hit on Salesforce CRM
Regulatory hurdles end cloud pilot.
Sign up to receive iTnews email bulletins
Latest Comments
Who do you trust most to protect your private data?

   |   View results
Your bank
Your insurance company
A technology company (Google, Facebook et al)
Your telco, ISP or utility
A retailer (Coles, Woolworths et al)
A Federal Government agency (ATO, Centrelink etc)
An Australian law enforcement agency (AFP, ASIO et al)
A State Government agency (Health dept, etc)

Do you support the abolition of the Office of the Information Commissioner?

   |   View results
I support shutting down the OAIC.
I DON'T support shutting the OAIC.