ID

VAR-201103-0083

CVE

CVE-2011-1417

TITLE

plural Apple Run on product QuickLook Vulnerable to arbitrary code execution

DESCRIPTION

Integer overflow in QuickLook, as used in Apple Mac OS X before 10.6.7 and MobileSafari in Apple iOS before 4.2.7 and 4.3.x before 4.3.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a Microsoft Office document with a crafted size field in the OfficeArtMetafileHeader, related to OfficeArtBlip, as demonstrated on the iPhone by Charlie Miller and Dion Blazakis during a Pwn2Own competition at CanSecWest 2011. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Safari on the iPhone. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the support for parsing Office files. When handling the OfficeArtMetafileHeader the process trusts the cbSize field and performs arithmetic on it before making an allocation. As the result is not checked for overflow, the subsequent allocation can be undersized. Later when copying into this buffer, memory can be corrupted leading to arbitrary code execution under the context of the mobile user on the iPhone. An attacker can exploit this issue by enticing an unsuspecting user into viewing a specially crafted website. Failed exploits will likely result in a denial-of-service condition. Apple iOS 4.3 and earlier are vulnerable. NOTE: Due to memory protections in place in iOS 4.3, code execution will be difficult. An integer overflow vulnerability exists in QuickLook used in MobileSafari in Apple Mac OS X versions prior to 10.6.7 and Apple iOS versions prior to 4.2.7, 4.3.2 and 4.3.x when parsing OfficeArtBlips. CVE-ID CVE-2011-1417 : Charlie Miller and Dion Blazakis working with TippingPoint's Zero Day Initiative Pages for iOS v1.5 is available for download via the App Store. To check the current version of software, select "Settings -> Pages -> Version". ---------------------------------------------------------------------- Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March). Other versions may also be affected. SOLUTION: Do not browse untrusted websites. ---------------------------------------------------------------------- A step-by-step discussion of the latest Flash Player 0-day exploit: http://secunia.com/blog/210 ---------------------------------------------------------------------- TITLE: Apple iOS for iPhone 4 (CDMA) Multiple Vulnerabilities SECUNIA ADVISORY ID: SA44154 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/44154/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=44154 RELEASE DATE: 2011-04-16 DISCUSS ADVISORY: http://secunia.com/advisories/44154/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/44154/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=44154 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities has been reported in Apple iOS for iPhone 4 (CDMA), which can be exploited by malicious people to compromise a vulnerable device. 1) A boundary error exists within QuickLook. For more information see vulnerability #29 in: SA43814 2) An integer overflow error exists within WebKit. For more information: SA43748 3) A use-after-free error exists within WebKit. The vulnerabilities are reported in iOS for iPhone 4 (CDMA) versions 4.2.5 through 4.2.6. SOLUTION: Update to iOS for iPhone 4 (CDMA) 4.2.7 (downloadable and installable via iTunes). PROVIDED AND/OR DISCOVERED BY: 1) Charlie Miller and Dion Blazakis via ZDI. 2) Vincenzo Iozzo, Willem Pinckaers, and Ralf-Philipp Weinmann via ZDI. 3) Vupen via ZDI. The vendor also credits Martin Barbella. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT4607 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-11-109/ http://www.zerodayinitiative.com/advisories/ZDI-11-104/ http://www.zerodayinitiative.com/advisories/ZDI-11-135/ OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2011-07-20-2 iWork 9.1 Update iWork 9.1 Update is now available and addresses the following: Numbers Available for: iWork 9.0 through 9.0.5 Impact: Opening a maliciously crafted Excel file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of Excel files. CVE-ID CVE-2010-3785 : Apple Numbers Available for: iWork 9.0 through 9.0.5 Impact: Opening a maliciously crafted Excel file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of Excel files. CVE-ID CVE-2010-3786 : Tobias Klein, working with VeriSign iDefense Labs Pages Available for: iWork 9.0 through 9.0.5 Impact: Opening a maliciously crafted Microsoft Word document may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of Microsoft Word documents. CVE-ID CVE-2011-1417 : Charlie Miller and Dion Blazakis working with TippingPoint's Zero Day Initiative iWork 9.1 Update is available via the Apple Software Update application, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The download file is named: iWork9.1Update.dmg Its SHA-1 digest is: ecb38db74d7d1954cbcee9220c73dac85cace3e1 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) iQEcBAEBAgAGBQJOKcGrAAoJEGnF2JsdZQeewcYH/RhHdLa6x14PX+ZTC+sm1Mjc W1xBpOxMuBpAx3Li6INXXLvMablTgPIs5e3pbtsV0RYtsJy99JdPySPI8bpQu0Si CVWuXXSBYy2gdTtRAf6MI3j+oOyM1JhE7GunLBWcmAzv5TxS8TRf0HtNErFEe8NA StV8QBWLErNyHxqjUQsIb5d1KbIbOysFQZy3O6pyZ6SRwr8tlIPKnY4KsaDYS5Ry tpv3lMysde5NqCy8BeOQEtW/WAmE7i9NCCNfU2L+OfGQOXIdXmKl7Orjj+d9l23L umGo9GCACvBVO1Ot6jKDlCW+ZuDRGuz+fhQnwOdyoqtwUwiNCsS6VIwuYYrcmxw= =wrny -----END PGP SIGNATURE----- . -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4581 -- Disclosure Timeline: 2011-03-09 - Vulnerability reported to vendor 2011-03-22 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Charlie Miller and Dion Blazakis -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

digital error

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Charlie Miller and Dion Blazakis

SOURCES

LAST UPDATE DATE

2025-04-11T22:19:52.290000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE