Headline
CVE-2009-2206: About the security content of iOS 3.1 and iOS 3.1.1 for iPod touch
Multiple heap-based buffer overflows in the AudioCodecs library in the CoreAudio component in Apple iPhone OS before 3.1, and iPhone OS before 3.1.1 for iPod touch, allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted (1) AAC or (2) MP3 file, as demonstrated by a ringtone with malformed entries in the sample size table.
This document describes the security content of iOS 3.1 and iOS 3.1.1 for iPod touch.
This article has been archived and is no longer updated by Apple.
For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.
For information about the Apple Product Security PGP Key, see “How to use the Apple Product Security PGP Key.”
Where possible, CVE IDs are used to reference the vulnerabilities for further information.
To learn about other Security Updates, see “Apple Security Updates.”
iOS 3.1 and iOS 3.1.1 for iPod touch
CoreAudio
CVE-ID: CVE-2009-2206
Available for: iOS 1.0 through 3.0.1, iOS for iPod touch 1.1 through 3.0
Impact: Opening a maliciously crafted AAC or MP3 file may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of AAC or MP3 files. Opening a maliciously crafted AAC or MP3 file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Tobias Klein of trapkit.de for reporting this issue.
Exchange Support
CVE-ID: CVE-2009-2794
Available for: iOS 1.0 through 3.0.1, iOS for iPod touch 1.1 through 3.0
Impact: A person with physical access to a device may be able to use it after the timeout period specified by an Exchange administrator
Description: iOS provides the ability to communicate via services provided by a Microsoft Exchange server. An administrator of an Exchange server has the ability to specify a “Maximum inactivity time lock” setting. This requires the user to reenter their passcode after the expiration of the inactivity time in order to use the Exchange services. iOS allows a user to specify a “Require Passcode” setting that may extend up to 4 hours. The “Require Passcode” setting is not affected by the “Maximum inactivity time lock” setting. If the user has “Require Passcode” set to a value higher than the “Maximum inactivity time lock” setting, this would allow a window of time for a person with physical access to use the device, including Exchange services. This update addresses the issue by disabling user choices for “Require Passcode” values greater than the “Maximum inactivity time lock” setting. This issue only affects iOS 2.0 and later, and iOS for iPod touch 2.0 and later. Credit to Allan Steven, Robert Duran, Jeff Beckham of PepsiCo, Joshua Levitsky, Michael Breton of Intel Corporation, Mike Karban of Edward Jones, and Steve Moriarty of Agilent Technologies for reporting this issue.
MobileMail
CVE-ID: CVE-2009-2207
Available for: iOS 1.0 through 3.0.1, iOS for iPod touch 1.1 through 3.0
Impact: Deleted email messages may still be visible through a Spotlight search
Description: Spotlight finds and allows access to deleted messages in Mail folders on the device. This would allow a person with access to the device to view the deleted messages. This update addresses the issue by not including the deleted email in the Spotlight search result. This issue only affects iOS 3.0, iOS 3.0.1, and iOS for iPod touch 3.0. Credit to Clickwise Software and Tony Kavadias for reporting this issue.
Recovery Mode
CVE-ID: CVE-2009-2795
Available for: iOS 1.0 through 3.0.1, iOS for iPod touch 1.1 through 3.0
Impact: A person with physical access to a locked device may be able to access the user’s data
Description: A heap buffer overflow exists in Recovery Mode command parsing. This may allow another person with physical access to the device to bypass the passcode, and access the user’s data. This update addresses the issue through improved bounds checking.
Telephony
CVE-ID: CVE-2009-2815
Available for: iOS 1.0 through 3.0.1
Impact: Receiving a maliciously crafted SMS message may lead to an unexpected service interruption
Description: A null pointer dereference issue exists in the handling of SMS arrival notifications. Receiving a maliciously crafted SMS message may lead to an unexpected service interruption. This update addresses the issue through improved handling of incoming SMS messages. Credit to Charlie Miller of Independent Security Evaluators, and Collin Mulliner of Technical University Berlin for reporting this issue.
UIKit
CVE-ID: CVE-2009-2796
Available for: iOS 1.0 through 3.0.1, iOS for iPod touch 1.1 through 3.0
Impact: Passwords may be made visible
Description: When a character in a password is deleted, and the deletion is undone, the character is briefly made visible. This may allow a person with physical access to the device to read a password, one character at a time. This update addresses the issue by preventing the character from being made visible. This issue only affects iOS 3.0 and iOS 3.0.1. Credit to Abraham Vegh for reporting this issue.
WebKit
CVE-ID: CVE-2009-2797
Available for: iOS 1.0 through 3.0.1, iOS for iPod touch 1.1 through 3.0
Impact: User names and passwords in URLs may be disclosed to linked sites
Description: Safari includes the user name and password from the original URL in the referer header. This may lead to the disclosure of sensitive information. This update addresses the issue by not including user names and passwords in referer headers. Credit to James A. T. Rice of Jump Networks Ltd for reporting this issue.
WebKit
CVE-ID: CVE-2009-1725
Available for: iOS 1.0 through 3.0.1, iOS for iPod touch 1.1 through 3.0
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit’s handling of numeric character references. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of numeric character references. Credit to Chris Evans for reporting this issue.
WebKit
CVE-ID: CVE-2009-1724
Available for: iOS 1.0 through 3.0.1, iOS for iPod touch 1.1 through 3.0
Impact: Visiting a maliciously crafted website may lead to a cross-site scripting attack
Description: An issue in WebKit’s handling of the parent and top objects may result in a cross-site scripting attack when visiting a maliciously crafted website. This update addresses the issue through improved handling of parent and top objects.
WebKit
CVE-ID: CVE-2009-2199
Available for: iOS 1.0 through 3.0.1, iOS for iPod touch 1.1 through 3.0
Impact: Look-alike characters in a URL could be used to masquerade a website
Description: The International Domain Name (IDN) support and Unicode fonts embedded in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious website to direct the user to a spoofed site that visually appears to be a legitimate domain. This update addresses the issue by supplementing WebKit’s list of known look-alike characters. Look-alike characters are rendered in Punycode in the address bar. Credit to Chris Weber of Casaba Security, LLC for reporting this issue.
Published Date: January 28, 2016
Related news
Incomplete blacklist vulnerability in WebKit in Apple Safari before 4.0.3, as used on iPhone OS before 3.1, iPhone OS before 3.1.1 for iPod touch, and other platforms, allows remote attackers to spoof domain names in URLs, and possibly conduct phishing attacks, via unspecified homoglyphs.
WebKit in Apple Safari before 4.0.2, as used on iPhone OS before 3.1, iPhone OS before 3.1.1 for iPod touch, and other platforms; KHTML in kdelibs in KDE; QtWebKit (aka Qt toolkit); and possibly other products do not properly handle numeric character references, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted HTML document.
Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 4.0.2, as used on iPhone OS before 3.1, iPhone OS before 3.1.1 for iPod touch, and other platforms, allows remote attackers to inject arbitrary web script or HTML via vectors related to parent and top objects.