Posted by: David Harley | February 3, 2010

iPhone and iPod Touch News

When the Mac Virus site started, Apple’s product range was rather more limited than it is now. These days, it doesn’t make sense to restrict Apple coverage to desktops and Macbooks, so here are a couple of iPhone-related items.

The Register’s Dan Goodin tells us that the iPhone is vulnerable to remote attack on SSL: 

http://www.theregister.co.uk/2010/02/02/iphone_malicious_config_attack/.

“The fault lies in a feature that makes it easy to configure large numbers of iPhones so they meet an organization’s IT policies, said Charlie Miller, a researcher at Independent Security Evaluators. Not only does the provisioning feature work over the internet, it can be tricked into accepting malicious configuration files.”

Heise summarizes the vulnerabilities addressed in iPhone/iPod OS 3.1.3 at http://h-online.com/-920756 while The Register’s James Sherwood also has a take on it at http://reg.cx/1Gq9.

See also Apple’s security support notes at http://support.apple.com/kb/HT4013. In brief:

  • CVE-2010-0036: maliciously crafted MP4 could crash an app or execute arbitrary code
  • CVE-2009-2285: a maliciously crafted TIFF could crash an app or execute arbitrary code
  • CVE-2010-0038: Someone with physical access to a locked device could access the user’s data, using a recovery mode USB control message to bypass the passcode.

Also, two Webkit issues:

  • CVE-2009-3384: input validation issues that enable a maliciously crafted FTP server to cause crashed apps, info leakage or arbitrary code execution 
  • CVE-2009-2841: HTML 5 Media element issue in absence of resource load callback could allow mail to load audio/video content even when remote image loading is disabled

Sherwood suggests that existing iPhones will upgrade to 3.2 in March, when the iPad hits the shelves.

Talking of computers hitting things, we’re pleased to hear that Andrew Lee’s Macbook survived a fall while jogging round his desk. Maybe you should keep it on a lead, AJ.

David Harley FBCS CITP CISSP
Mac Virus
Small Blue-Green World
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://avien.net/blog/
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com

Advertisements

Responses

  1. […] iPhone and iPod Touch News is commentary on vulnerabilities and countermeasures on those platforms […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: