ID

VAR-201301-0339

CVE

CVE-2013-0963

TITLE

Apple iOS 6.1 of Identity Services Vulnerabilities that bypass authentication

DESCRIPTION

Identity Services in Apple iOS before 6.1 does not properly handle validation failures of AppleID certificates, which might allow physically proximate attackers to bypass authentication by leveraging an incorrect assignment of an empty string value to an AppleID. An attacker can exploit this issue to bypass certain security restrictions, allowing the attacker to perform malicious activities. Note: This issue was previously discussed in BID 57572 (Apple iPhone/iPad/iPod touch Prior to iOS 6.1 Multiple Vulnerabilities) but has been given its own record to better document it. Apple iOS for the iPhone, the iPod touch, and the iPad is prone to multiple security vulnerabilities. These issues affect the following components: Identity Services Kernel StoreKit WebKit Successfully exploiting these issues may allow attackers to execute arbitrary script code, bypass security restrictions, obtain sensitive information, execute arbitrary code, or crash the affected device. Other attacks are also possible. This BID is being retired. The following individual records exist to better document the issues: 57576 WebKit CVE-2013-0948 Unspecified Memory Corruption Vulnerability 57580 WebKit CVE-2013-0949 Unspecified Memory Corruption Vulnerability 57581 WebKit CVE-2013-0950 Unspecified Memory Corruption Vulnerability 57582 WebKit CVE-2013-0951 Unspecified Memory Corruption Vulnerability 57583 WebKit CVE-2013-0962 Cross Site Scripting Vulnerability 57584 WebKit CVE-2013-0952 Unspecified Memory Corruption Vulnerability 57585 WebKit CVE-2013-0953 Unspecified Memory Corruption Vulnerability 57586 WebKit CVE-2013-0954 Unspecified Memory Corruption Vulnerability 57587 WebKit CVE-2013-0955 Unspecified Memory Corruption Vulnerability 57588 WebKit CVE-2013-0956 Unspecified Memory Corruption Vulnerability 57589 WebKit CVE-2013-0958 Unspecified Memory Corruption Vulnerability 57590 WebKit CVE-2013-0959 Unspecified Memory Corruption Vulnerability 57591 WebKit CVE-2013-0968 Unspecified Memory Corruption Vulnerability 57595 Apple iPhone/iPad/iPod touch Prior to iOS 6.1 Information Disclosure Vulnerability 57597 Apple iPhone/iPad/iPod touch CVE-2013-0974 Security Bypass Vulnerability 57598 Apple iPhone/iPad/iPod touch Prior to iOS 6.1 CVE-2013-0963 Security Bypass Vulnerability. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. CVE-ID CVE-2011-3058 : Masato Kinugawa Kernel Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: A user-mode process may be able to access the first page of kernel memory Description: The iOS kernel has checks to validate that the user- mode pointer and length passed to the copyin and copyout functions would not result in a user-mode process being able to directly access kernel memory. The checks were not being used if the length was smaller than one page. StoreKit Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: JavaScript may be enabled in Mobile Safari without user interaction Description: If a user disabled JavaScript in Safari Preferences, visiting a site which displayed a Smart App Banner would re-enable JavaScript without warning the user. This issue was addressed by not enabling JavaScript when visiting a site with a Smart App Banner. CVE-ID CVE-2012-2824 : miaubiz CVE-2012-2857 : Arthur Gerkis CVE-2012-3606 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3607 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3621 : Skylined of the Google Chrome Security Team CVE-2012-3632 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3687 : kuzzcc CVE-2012-3701 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0948 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0949 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0950 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0951 : Apple CVE-2013-0952 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0953 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0954 : Dominic Cooney of Google and Martin Barbella of the Google Chrome Security Team CVE-2013-0955 : Apple CVE-2013-0956 : Apple Product Security CVE-2013-0958 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0959 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0968 : Aaron Nelson WebKit Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Copying and pasting content on a malicious website may lead to a cross-site scripting attack Description: A cross-site scripting issue existed in the handling of content pasted from a different origin. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. The version after applying this update will be "6.1". -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2013-03-14-1 OS X Mountain Lion v10.8.3 and Security Update 2013-001 OS X Mountain Lion v10.8.3 and Security Update 2013-001 is now available and addresses the following: Apache Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: An attacker may be able to access directories that are protected with HTTP authentication without knowing the correct credentials Description: A canonicalization issue existed in the handling of URIs with ignorable Unicode character sequences. This issue was addressed by updating mod_hfs_apple to forbid access to URIs with ignorable Unicode character sequences. CVE-ID CVE-2013-0966 : Clint Ruoho of Laconic Security CoreTypes Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Visiting a maliciously crafted website could allow a Java Web Start application to be launched automatically even if the Java plug-in is disabled Description: Java Web Start applications would run even if the Java plug-in was disabled. This issue was addressed by removing JNLP files from the CoreTypes safe file type list, so the Web Start application will not be run unless the user opens it in the Downloads directory. CVE-ID CVE-2013-0967 International Components for Unicode Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A canonicalization issue existed in the handling of the EUC-JP encoding, which could lead to a cross-site scripting attack on EUC-JP encoded websites. This issue was addressed by updating the EUC-JP mapping table. CVE-ID CVE-2011-3058 : Masato Kinugawa Identity Services Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Authentication relying on certificate-based Apple ID authentication may be bypassed Description: An error handling issue existed in Identity Services. If the user's AppleID certificate failed to validate, the user's AppleID was assumed to be the empty string. If multiple systems belonging to different users enter this state, applications relying on this identity determination may erroneously extend trust. This issue was addressed by ensuring that NULL is returned instead of an empty string. CVE-ID CVE-2013-0963 ImageIO Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in libtiff's handling of TIFF images. This issue was addressed through additional validation of TIFF images. CVE-ID CVE-2012-2088 IOAcceleratorFamily Available for: OS X Mountain Lion v10.8 to v10.8.2 Impact: Viewing a maliciously crafted image may lead to an unexpected system termination or arbitrary code execution Description: A memory corruption issue existed in the handling of graphics data. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0976 : an anonymous researcher Kernel Available for: OS X Mountain Lion v10.8 to v10.8.2 Impact: Maliciously crafted or compromised applications may be able to determine addresses in the kernel Description: An information disclosure issue existed in the handling of APIs related to kernel extensions. Responses containing an OSBundleMachOHeaders key may have included kernel addresses, which may aid in bypassing address space layout randomization protection. This issue was addressed by unsliding the addresses before returning them. CVE-ID CVE-2012-3749 : Mark Dowd of Azimuth Security, Eric Monti of Square, and additional anonymous researchers Login Window Available for: OS X Mountain Lion v10.8 to v10.8.2 Impact: An attacker with keyboard access may modify the system configuration Description: A logic error existed in VoiceOver's handling of the Login Window, whereby an attacker with access to the keyboard could launch System Preferences and modify the system configuration. This issue was addressed by preventing VoiceOver from launching applications at the Login Window. CVE-ID CVE-2013-0969 : Eric A. Schulman of Purpletree Labs Messages Available for: OS X Mountain Lion v10.8 to v10.8.2 Impact: Clicking a link from Messages may initiate a FaceTime call without prompting Description: Clicking on a specifically-formatted FaceTime:// URL in Messages could bypass the standard confirmation prompt. This issue was addressed by additional validation of FaceTime:// URLs. CVE-ID CVE-2013-0970 : Aaron Sigel of vtty.com Messages Server Available for: Mac OS X Server 10.6.8, OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may reroute federated Jabber messages Description: An issue existed in the Jabber server's handling of dialback result messages. An attacker may cause the Jabber server to disclose information intended for users of federated servers. This issue was addressed through improved handling of dialback result messages. CVE-ID CVE-2012-3525 PDFKit Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue existed in the handling of ink annotations in PDF files. This issue was addressed through improved memory management. CVE-ID CVE-2013-0971 : Tobias Klein working with HP TippingPoint's Zero Day Initiative Podcast Producer Server Available for: Mac OS X Server 10.6.8, OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling XML parameters in the Rails implementation used by Podcast Producer Server. CVE-ID CVE-2013-0156 Podcast Producer Server Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of JSON data. This issue was addressed by switching to using the JSONGem backend for JSON parsing in the Rails implementation used by Podcast Producer Server. CVE-ID CVE-2013-0333 PostgreSQL Available for: Mac OS X Server 10.6.8, OS X Lion Server v10.7 to v10.7.5 Impact: Multiple vulnerabilities in PostgreSQL Description: PostgreSQL was updated to version 9.1.5 to address multiple vulnerabilities, the most serious of which may allow database users to read files from the file system with the privileges of the database server role account. Further information is available via the PostgreSQL web site at http://www.postgresql.org/docs/9.1/static/release-9-1-5.html CVE-ID CVE-2012-3488 CVE-2012-3489 Profile Manager Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling XML parameters in the Rails implementation used by Profile Manager. CVE-ID CVE-2013-0156 QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of 'rnet' boxes in MP4 files. This issue was addressed through improved bounds checking. CVE-ID CVE-2012-3756 : Kevin Szkudlapski of QuarksLab Ruby Available for: Mac OS X Server 10.6.8 Impact: A remote attacker may be able to cause arbitrary code execution if a Rails application is running Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling YAML and symbols in XML parameters in Rails. CVE-ID CVE-2013-0156 Security Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information Description: Several intermediate CA certificates were mistakenly issued by TURKTRUST. This may allow a man-in-the-middle attacker to redirect connections and intercept user credentials or other sensitive information. This issue was addressed by not allowing the incorrect SSL certificates. Software Update Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5 Impact: An attacker with a privileged network position may be able to cause arbitrary code execution Description: Software Update allowed a man in the middle attacker to insert plugin content into the marketing text displayed for updates. This may allow the exploitation of a vulnerable plugin, or facilitate social engineering attacks involving plugins. This issue does not affect OS X Mountain Lion systems. This issue was addressed by preventing plugins from being loaded in Software Update's marketing text WebView. CVE-ID CVE-2013-0973 : Emilio Escobar Wiki Server Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling XML parameters in the Rails implementation used by Wiki Server. CVE-ID CVE-2013-0156 Wiki Server Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of JSON data. This issue was addressed by switching to using the JSONGem backend for JSON parsing in the Rails implementation used by Wiki Server. CVE-ID CVE-2013-0333 Malware removal Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Description: This update runs a malware removal tool that will remove the most common variants of malware. If malware is found, it presents a dialog notifying the user that malware was removed. There is no indication to the user if malware is not found. Note: OS X Mountain Lion v10.8.3 includes the content of Safari 6.0.3. For further details see "About the security content of Safari 6.0.3" at http://http//support.apple.com/kb/HT5671 OS X Mountain Lion v10.8.3 and Security Update 2013-001 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. Only one is needed, either OS X Mountain Lion v10.8.3, or Security Update 2013-001. For OS X Mountain Lion v10.8.2 The download file is named: OSXUpd10.8.3.dmg Its SHA-1 digest is: e6165572e9145ea05aac23fa30372a9b0a0bbf3c For OS X Mountain Lion v10.8 and v10.8.1 The download file is named: OSXUpdCombo10.8.3.dmg Its SHA-1 digest is: 1bc49fde5ff6e252aa7908b4cb1f9cb9c8a5fa29 For OS X Lion v10.7.5 The download file is named: SecUpd2013-001.dmg Its SHA-1 digest is: 5bc540a208c720fce3448f853d852336781e1a17 For OS X Lion Server v10.7.5 The download file is named: SecUpdSrvr2013-001.dmg Its SHA-1 digest is: e88ff36fc8e88c4c995422d3f2364c56ebe51b07 For Mac OS X v10.6.8 The download file is named: SecUpd2013-001.dmg Its SHA-1 digest is: dc52d0f7d2db6080c57c7b9252a4d85c5e178450 For Mac OS X Server v10.6.8 The download file is named: SecUpdSrvr2013-001.dmg Its SHA-1 digest is: fd7946f8d1f1bce0394b6e56c8d7387812e14694 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJRQiuBAAoJEPefwLHPlZEwGfgP/0UDCn2KBop3IJ4Ad31yiG3N gH+yQl4GDONhm/HgrPWGQgcuVI69FmAqk+7arwOL7+7hlsSDQ5uSWDraRdd0EPmO aq2DxPxt6bYi4fHSrfkvRblVr/PcPxswEEshM82JU60Oy88EDA87bI8yy4qi8KJ4 E8+6O31vLuUeAaHf0SNE8y1p2iKpdmHH/Afo0iAVx3ddm8e8wMVPZ9XbR02pe8MV qmMWj8icBLNyHGoSl48zm5t4Ah4MS9qgXNjsYY+Mq2AcrqQI5EFTbdWpKFM7SQ1G UcM6zmeHtKNz8H21MDYKg1UHjo49MZnFb6ahRXN0E3jsPrfO4Co/2t6ogOLRZ90X 2Sd1RfwqYnRZRfwyOAe3htBYDpVEfvU1eaNMoTTHLRKWgarxUoXvww2cjnomAg5y tg+btVeQfzdHu+yClvioCbYqblKKxJf8lmhiLEgoH2bRaz2L+fluWW9yGQarxmrb vQ+cMKuy7heyLpNhwRHZioo4/b2K/IZBnkKwH76Ey3yAXnSSAD9xwbFZZAU5J8YQ liULOm9tv1sUlNHMyTsjplIsFkAIrkl+H43hn3/A+q4TIsDkmtPvOOl4Rc9/5w8H ZibyLnmr1XgXvd6CgFzIvl7Ink+d/xGHTnlybHszCMzR5o6Rg7sTeQsD34aNymcc Lz1nnBtRAbfDgARdRX4e =WUBR -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Apple iOS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA52002 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/52002/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=52002 RELEASE DATE: 2013-01-29 DISCUSS ADVISORY: http://secunia.com/advisories/52002/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/52002/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=52002 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two security issues and multiple vulnerabilities have been reported in Apple iOS, which can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, and compromise a user's device. 2) An error exists in International Components for Unicode. 5) Multiple vulnerabilities are caused due to a bundled vulnerable version of WebKit. Successful exploitation of vulnerabilities #3 and #5 through #17 may allow execution of arbitrary code. 18) Certain input pasted from a different origin is not properly sanitised in WebKit before being used. 19) Certain unspecified input related to frame handling is not properly sanitised before being returned to the user. For more information see vulnerability #1 in: SA50759 NOTE: Additionally a weakness exists within the handling of 802.11i information elements within Broadcom's BCM4325 and BCM4329 firmware, which can be exploited to disable WiFi. PROVIDED AND/OR DISCOVERED BY: 1, 9, 13, and 14) Reported by the vendor The vendor credits: 3) Mark Dowd, Azimuth Security 4) Andrew Plotkin, Zarfhome Software Consulting, Ben Madison, BitCloud, and Marek Durcek 6, 7, 8, 10, 11, 15, and 16) Abhishek Arya (Inferno), Google Chrome Security Team 12) Dominic Cooney, Google and Martin Barbella, Google Chrome Security Team 17) Aaron Nelson 18) Mario Heiderich, Cure53 ORIGINAL ADVISORY: APPLE-SA-2013-01-28-1: http://support.apple.com/kb/HT5642 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

network

TYPE

input validation

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Mark Dowd of Azimuth Security, Andrew Plotkin of Zarfhome Software Consulting, Ben Madison of BitCloud, Marek Durcek, Abhishek Arya (Inferno) of the Google Chrome Security Team, Apple Product Security, Aaron Nelson, Mario Heiderich of Cure53

SOURCES

LAST UPDATE DATE

2025-04-11T20:35:03.244000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE