Apple plugs remote-code execution flaws in iPhone

Powered by SC Magazine

Exchange issues, exposed passwords and much more.

Apple has plugged several security holes in its iPhone and iPod Touch OS, one of which could allow criminals to take over a vulnerable device by injecting and executing malicious code on the device if the victim visits a malicious website.

According to an Apple security advisory, the updated version of its mobile operating system (3.1 for iPhone and 3.1.1 for iPod Touch), fixes numerous holes that could open users to a variety of attacks, both remotely and by malicious users with physical access to a vulnerable device.

The most dangerous flaw (CVE-2009-1725) was present in all previous versions of the mobile OS and could "lead to an unexpected application termination or arbitrary code execution" if the user visits a maliciously crafted website. A similar flaw (CVE-2009-1724) could allow a cross-site scripting attack if the user visits a malicious website.

Phishing attacks could be enhanced by exploiting a vulnerability (CVE-2009-2199) that allows fraudsters to create copycat web sites in order to extract personal information from unsuspecting users.

According to the advisory, "The International Domain Name (IDN) support and Unicode fonts embedded in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious website to direct the user to a spoofed site that visually appears to be a legitimate domain."

A buffer overflow error (CVE-2009-2206) opens users to remote code execution when the device opens a specially crafted MP3 or AAC file.

Users who connect to a Microsoft Exchange server via their iPhone or iPod Touch are also affected by a flaw labelled CVE-2009-2794. Apple warns that if the device falls into the wrong hands, it would be possible to access an exchange server even if the timeout period set by the Exchange administrator has expired.

According to Apple, once the timeout period has expired, users are required to re-enter their password. However, exploitation of the flaw creates "a window of time for a person with physical access to use the device, including Exchange services."

Other vulnerabilities include one that exposes hidden passwords (CVE-2009-2796), and one that allows access an iPhone even if it is locked (CVE-2009-2795). A flaw in MobileMail means emails that were deleted could still appear in a Spotlight search(CVE-2009-2207). Apple also fixed an issue that revealed usernames and passwords in URLs (CVE-2009-2797).

Apple was unavailable for comment.

Apple plugs remote-code execution flaws in iPhone
Top Stories
The True Cost of BYOD - 2014 survey
Twelve months on from our first study, is BYOD a better proposition?
Photos: Unboxing the Magnus supercomputer
Pawsey's biggest beast slots into place.
ANZ looks to life beyond the transaction
If digital disruptors think an online payments startup could rock the big four, they’ve missed the point of why people use banks, says Patrick Maes.
Sign up to receive iTnews email bulletins
Latest Comments
What is delaying adoption of public cloud in your organisation?

   |   View results
Lock-in concerns
Application integration concerns
Security and compliance concerns
Unreliable network infrastructure
Data sovereignty concerns
Lack of stakeholder support
Protecting on-premise IT jobs
Difficulty transitioning CapEx budget into OpEx