VARIoT IoT vulnerabilities database
| VAR-201110-0333 | CVE-2011-3261 | Apple iOS of OfficeImport Vulnerable to double memory release in Windows |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Double free vulnerability in OfficeImport in Apple iOS before 5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted Excel spreadsheet. Apple iOS for iPhone, iPod touch, and iPad is prone to a remote code-execution vulnerability.
Successfully exploiting this issue may allow attackers to execute arbitrary code. Failed exploit attempts may cause denial-of-service conditions.
NOTE: This issue was previously discussed in BID 50086 (Apple iPhone/iPad/iPod touch Prior to iOS 5 Multiple Vulnerabilities) but has been given its own record to better document it. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. A code injection vulnerability exists in OfficeImport versions prior to Apple iOS 5. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA46377
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46377/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
RELEASE DATE:
2011-10-14
DISCUSS ADVISORY:
http://secunia.com/advisories/46377/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46377/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people with physical access to disclose
certain information and by malicious people to conduct script
insertion, cross-site scripting, and spoofing attacks, disclose
sensitive information, bypass certain security restrictions, cause a
DoS (Denial of Service), and compromise a user's device.
1) An error within the CalDAV component does not properly validate
the SSL certificate when synchronizing the calendar, which can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
2) Input passed via invitation notes is not properly sanitised in
Calendar before being returned to the user. This can be exploited to
insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious invitation is being viewed.
3) The CFNetwork component stores a user's AppleID password and
username in the log file readable by applications, which can be
exploited to disclose the credentials.
4) The CFNetwork component does not properly restrict cross-domain
access of HTTP cookies, which can be exploited to access the cookies
of another web site.
5) An error exists within CoreFoundation when handling string
tokenization.
For more information see vulnerability #1 in:
SA46339
6) Multiple errors within CoreGraphics when handling the certain
freetype fonts can be exploited to corrupt memory.
7) An error within CoreMedia does not properly handle cross-site
redirects and can be exploited to disclose video data.
8) An error exits within the Data Access component when handling
multiple accounts configured on the same server and can be exploited
to disclose the cookie of another account.
9) The application accepts X.509 certificates with MD5 hashes, which
could lead to weak cryptographic certificates being used. This can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
10) A design error exists within the implementation of SSL 3.0 and
TLS 1.0 protocols.
For more information:
SA46168
11) An error within ImageIO when handling CCITT Group 4 encoded TIFF
files can be exploited to cause a buffer overflow.
For more information see vulnerability #1 in:
SA43593
12) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
For more information see vulnerability #9 in:
SA45325
13) An error within ICU (International Components for Unicode) can be
exploited to cause a buffer overflow.
For more information see vulnerability #11 in:
SA45054
14) An error within the kernel does not reclaim memory from
incomplete TCP connections, which can be exploited to exhaust system
resources by connecting to a listening service and cause the device
to reset.
15) A NULL-pointer dereference error within the kernel when handling
IPv6 socket options can be exploited to cause the device to reset.
16) An error within libxml can be exploited to cause a heap-based
buffer overflow.
For more information see vulnerability #12 in:
SA45325
17) An error within OfficeImport when viewing certain Microsoft Word
files can be exploited to cause a buffer overflow.
18) An error within OfficeImport when viewing certain Microsoft Excel
files can be exploited to cause a buffer overflow.
19) An indexing error exists in the OfficeImport framework when
processing certain records in a Microsoft Word file.
For more information see vulnerability #19 in:
SA45054
20) An error in the OfficeImport framework when processing records
can be exploited to corrupt memory.
For more information see vulnerability #28 in:
SA43814
21) An error within Safari does not properly handle the "attachment"
HTTP Content-Disposition header and can be exploited to conduct
cross-site scripting attacks.
22) The parental restrictions feature stores the restrictions
passcode in plaintext on disk and can be exploited to disclose the
passcode.
23) An error within UIKit does not properly handle "tel:" URIs and
can be exploited to cause the device to hang by tricking the user
into visiting a malicious website.
24) Some vulnerabilities are caused due to a bundled vulnerable
version of WebKit.
For more information:
SA43519
SA43683
SA43696
SA43859
SA45097
SA45325
SA45325
SA45498
SA45498
SA46339
SA46412
25) The WiFi credentials are stored in a file readable by other
applications, which may lead to the credentials being disclosed.
SOLUTION:
Apply iOS 5 Software Update.
PROVIDED AND/OR DISCOVERED BY:
1) Leszek Tasiemski, nSense.
6, 9) Reported by the vendor.
The vendor credits:
2) Rick Deacon
3) Peter Quade, qdevelop
4) Erling Ellingsen, Facebook.
7) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
8) Bob Sielken, IBM
14) Wouter van der Veer, Topicus and Josh Enders
15) Thomas Clement, Intego
17) Tobias Klein via iDefense.
18) Tobias Klein, www.trapkit.de
21) Christian Matthies via iDefense and Yoshinori Oota, Business
Architects via JP/CERT.
22) An anonymous person
23) Simon Young, Anglia Ruskin University
25) Laurent OUDOT, TEHTRI Security
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4999
nSense:
http://www.nsense.fi/advisories/nsense_2011_006.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201110-0329 | CVE-2011-3245 | Apple iOS Vulnerability in obtaining important information in the keyboard component |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
The Keyboards component in Apple iOS before 5 displays the final character of an entered password during a subsequent use of a keyboard, which allows physically proximate attackers to obtain sensitive information by reading this character. Apple iOS is prone to an information-disclosure vulnerability.
A local attacker can exploit this issue to retrieve the last character of a password typed previously by another user. Information obtained may aid in further attacks.
The following Apple systems are vulnerable:
iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
NOTE: This issue was previously discussed in BID 50086 (Apple iPhone/iPad/iPod touch Prior to iOS 5 Multiple Vulnerabilities) but has been given its own record to better document it. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA46377
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46377/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
RELEASE DATE:
2011-10-14
DISCUSS ADVISORY:
http://secunia.com/advisories/46377/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46377/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people with physical access to disclose
certain information and by malicious people to conduct script
insertion, cross-site scripting, and spoofing attacks, disclose
sensitive information, bypass certain security restrictions, cause a
DoS (Denial of Service), and compromise a user's device.
1) An error within the CalDAV component does not properly validate
the SSL certificate when synchronizing the calendar, which can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
2) Input passed via invitation notes is not properly sanitised in
Calendar before being returned to the user. This can be exploited to
insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious invitation is being viewed.
3) The CFNetwork component stores a user's AppleID password and
username in the log file readable by applications, which can be
exploited to disclose the credentials.
4) The CFNetwork component does not properly restrict cross-domain
access of HTTP cookies, which can be exploited to access the cookies
of another web site.
5) An error exists within CoreFoundation when handling string
tokenization.
For more information see vulnerability #1 in:
SA46339
6) Multiple errors within CoreGraphics when handling the certain
freetype fonts can be exploited to corrupt memory.
7) An error within CoreMedia does not properly handle cross-site
redirects and can be exploited to disclose video data.
8) An error exits within the Data Access component when handling
multiple accounts configured on the same server and can be exploited
to disclose the cookie of another account.
9) The application accepts X.509 certificates with MD5 hashes, which
could lead to weak cryptographic certificates being used. This can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
10) A design error exists within the implementation of SSL 3.0 and
TLS 1.0 protocols.
For more information:
SA46168
11) An error within ImageIO when handling CCITT Group 4 encoded TIFF
files can be exploited to cause a buffer overflow.
For more information see vulnerability #1 in:
SA43593
12) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
For more information see vulnerability #9 in:
SA45325
13) An error within ICU (International Components for Unicode) can be
exploited to cause a buffer overflow.
For more information see vulnerability #11 in:
SA45054
14) An error within the kernel does not reclaim memory from
incomplete TCP connections, which can be exploited to exhaust system
resources by connecting to a listening service and cause the device
to reset.
15) A NULL-pointer dereference error within the kernel when handling
IPv6 socket options can be exploited to cause the device to reset.
16) An error within libxml can be exploited to cause a heap-based
buffer overflow.
For more information see vulnerability #12 in:
SA45325
17) An error within OfficeImport when viewing certain Microsoft Word
files can be exploited to cause a buffer overflow.
18) An error within OfficeImport when viewing certain Microsoft Excel
files can be exploited to cause a buffer overflow.
19) An indexing error exists in the OfficeImport framework when
processing certain records in a Microsoft Word file.
For more information see vulnerability #19 in:
SA45054
20) An error in the OfficeImport framework when processing records
can be exploited to corrupt memory.
For more information see vulnerability #28 in:
SA43814
21) An error within Safari does not properly handle the "attachment"
HTTP Content-Disposition header and can be exploited to conduct
cross-site scripting attacks.
22) The parental restrictions feature stores the restrictions
passcode in plaintext on disk and can be exploited to disclose the
passcode.
23) An error within UIKit does not properly handle "tel:" URIs and
can be exploited to cause the device to hang by tricking the user
into visiting a malicious website.
24) Some vulnerabilities are caused due to a bundled vulnerable
version of WebKit.
For more information:
SA43519
SA43683
SA43696
SA43859
SA45097
SA45325
SA45325
SA45498
SA45498
SA46339
SA46412
25) The WiFi credentials are stored in a file readable by other
applications, which may lead to the credentials being disclosed.
Successful exploitation of vulnerabilities #6, #16 \x96 #20, and #24 may
allow execution of arbitrary code.
SOLUTION:
Apply iOS 5 Software Update.
PROVIDED AND/OR DISCOVERED BY:
1) Leszek Tasiemski, nSense.
6, 9) Reported by the vendor.
The vendor credits:
2) Rick Deacon
3) Peter Quade, qdevelop
4) Erling Ellingsen, Facebook.
7) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
8) Bob Sielken, IBM
14) Wouter van der Veer, Topicus and Josh Enders
15) Thomas Clement, Intego
17) Tobias Klein via iDefense.
18) Tobias Klein, www.trapkit.de
21) Christian Matthies via iDefense and Yoshinori Oota, Business
Architects via JP/CERT.
22) An anonymous person
23) Simon Young, Anglia Ruskin University
25) Laurent OUDOT, TEHTRI Security
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4999
nSense:
http://www.nsense.fi/advisories/nsense_2011_006.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201110-0325 | CVE-2011-3242 | Mac OS X Run on Apple Safari User tracking vulnerability in the private browsing feature |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Private Browsing feature in Apple Safari before 5.1.1 on Mac OS X does not properly recognize the Always value of the Block Cookies setting, which makes it easier for remote web servers to track users via a cookie. WebKit is prone to a security-bypass vulnerability. This issue occurs when private browsing mode is enabled.
Attackers can exploit this issue to bypass security restrictions.
NOTE: This issue was previously discussed in BID 50089 (Apple Safari Prior to 5.1.1 Multiple Security Vulnerabilities) but has been given its own record to better document it. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. There is a logic error in Safari's handling of cookies in Private Browsing mode, which sets cookies even if \"Block cookies\" is set to \"Always\"
| VAR-201110-0322 | CVE-2011-3257 | Apple iOS of Data Access Vulnerabilities that prevent access restrictions on components |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
The Data Access component in Apple iOS before 5 does not properly handle the existence of multiple user accounts on the same mail server, which allows local users to bypass intended access restrictions in opportunistic circumstances by leveraging a different account's cookie. Apple iOS is prone to an information-disclosure vulnerability.
Attackers can exploit this issue to obtain sensitive information due to an incorrect mail cookie synchronization. This may allow the attacker to obtain credentials or other sensitive information. Information harvested may aid in further attacks.
The following Apple systems are vulnerable:
iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later
iOS 3.2 through 4.3.5 for iPad
NOTE: This issue was previously discussed in BID 50086 (Apple iPhone/iPad/iPod touch Prior to iOS 5 Multiple Vulnerabilities) but has been given its own record to better document it. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA46377
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46377/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
RELEASE DATE:
2011-10-14
DISCUSS ADVISORY:
http://secunia.com/advisories/46377/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46377/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people with physical access to disclose
certain information and by malicious people to conduct script
insertion, cross-site scripting, and spoofing attacks, disclose
sensitive information, bypass certain security restrictions, cause a
DoS (Denial of Service), and compromise a user's device.
1) An error within the CalDAV component does not properly validate
the SSL certificate when synchronizing the calendar, which can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
2) Input passed via invitation notes is not properly sanitised in
Calendar before being returned to the user. This can be exploited to
insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious invitation is being viewed.
3) The CFNetwork component stores a user's AppleID password and
username in the log file readable by applications, which can be
exploited to disclose the credentials.
4) The CFNetwork component does not properly restrict cross-domain
access of HTTP cookies, which can be exploited to access the cookies
of another web site.
5) An error exists within CoreFoundation when handling string
tokenization.
For more information see vulnerability #1 in:
SA46339
6) Multiple errors within CoreGraphics when handling the certain
freetype fonts can be exploited to corrupt memory.
7) An error within CoreMedia does not properly handle cross-site
redirects and can be exploited to disclose video data.
9) The application accepts X.509 certificates with MD5 hashes, which
could lead to weak cryptographic certificates being used. This can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
10) A design error exists within the implementation of SSL 3.0 and
TLS 1.0 protocols.
For more information:
SA46168
11) An error within ImageIO when handling CCITT Group 4 encoded TIFF
files can be exploited to cause a buffer overflow.
For more information see vulnerability #1 in:
SA43593
12) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
For more information see vulnerability #9 in:
SA45325
13) An error within ICU (International Components for Unicode) can be
exploited to cause a buffer overflow.
For more information see vulnerability #11 in:
SA45054
14) An error within the kernel does not reclaim memory from
incomplete TCP connections, which can be exploited to exhaust system
resources by connecting to a listening service and cause the device
to reset.
15) A NULL-pointer dereference error within the kernel when handling
IPv6 socket options can be exploited to cause the device to reset.
16) An error within libxml can be exploited to cause a heap-based
buffer overflow.
For more information see vulnerability #12 in:
SA45325
17) An error within OfficeImport when viewing certain Microsoft Word
files can be exploited to cause a buffer overflow.
18) An error within OfficeImport when viewing certain Microsoft Excel
files can be exploited to cause a buffer overflow.
19) An indexing error exists in the OfficeImport framework when
processing certain records in a Microsoft Word file.
For more information see vulnerability #19 in:
SA45054
20) An error in the OfficeImport framework when processing records
can be exploited to corrupt memory.
For more information see vulnerability #28 in:
SA43814
21) An error within Safari does not properly handle the "attachment"
HTTP Content-Disposition header and can be exploited to conduct
cross-site scripting attacks.
22) The parental restrictions feature stores the restrictions
passcode in plaintext on disk and can be exploited to disclose the
passcode.
23) An error within UIKit does not properly handle "tel:" URIs and
can be exploited to cause the device to hang by tricking the user
into visiting a malicious website.
24) Some vulnerabilities are caused due to a bundled vulnerable
version of WebKit.
For more information:
SA43519
SA43683
SA43696
SA43859
SA45097
SA45325
SA45325
SA45498
SA45498
SA46339
SA46412
25) The WiFi credentials are stored in a file readable by other
applications, which may lead to the credentials being disclosed.
Successful exploitation of vulnerabilities #6, #16 \x96 #20, and #24 may
allow execution of arbitrary code.
SOLUTION:
Apply iOS 5 Software Update.
PROVIDED AND/OR DISCOVERED BY:
1) Leszek Tasiemski, nSense.
6, 9) Reported by the vendor.
The vendor credits:
2) Rick Deacon
3) Peter Quade, qdevelop
4) Erling Ellingsen, Facebook.
7) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
8) Bob Sielken, IBM
14) Wouter van der Veer, Topicus and Josh Enders
15) Thomas Clement, Intego
17) Tobias Klein via iDefense.
18) Tobias Klein, www.trapkit.de
21) Christian Matthies via iDefense and Yoshinori Oota, Business
Architects via JP/CERT.
22) An anonymous person
23) Simon Young, Anglia Ruskin University
25) Laurent OUDOT, TEHTRI Security
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4999
nSense:
http://www.nsense.fi/advisories/nsense_2011_006.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201110-0324 | CVE-2011-3260 | Apple iOS of OfficeImport Vulnerable to buffer overflow |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Buffer overflow in OfficeImport in Apple iOS before 5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted Microsoft Word document. Apple iOS for iPhone, iPod touch, and iPad is prone to a buffer-overflow vulnerability.
Successfully exploiting this issue may allow attackers to execute arbitrary code. Failed exploit attempts may cause denial-of-service conditions.
NOTE: This issue was previously discussed in BID 50086 (Apple iPhone/iPad/iPod touch Prior to iOS 5 Multiple Vulnerabilities) but has been given its own record to better document it. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA46377
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46377/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
RELEASE DATE:
2011-10-14
DISCUSS ADVISORY:
http://secunia.com/advisories/46377/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46377/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people with physical access to disclose
certain information and by malicious people to conduct script
insertion, cross-site scripting, and spoofing attacks, disclose
sensitive information, bypass certain security restrictions, cause a
DoS (Denial of Service), and compromise a user's device.
1) An error within the CalDAV component does not properly validate
the SSL certificate when synchronizing the calendar, which can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
2) Input passed via invitation notes is not properly sanitised in
Calendar before being returned to the user. This can be exploited to
insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious invitation is being viewed.
3) The CFNetwork component stores a user's AppleID password and
username in the log file readable by applications, which can be
exploited to disclose the credentials.
4) The CFNetwork component does not properly restrict cross-domain
access of HTTP cookies, which can be exploited to access the cookies
of another web site.
5) An error exists within CoreFoundation when handling string
tokenization.
For more information see vulnerability #1 in:
SA46339
6) Multiple errors within CoreGraphics when handling the certain
freetype fonts can be exploited to corrupt memory.
7) An error within CoreMedia does not properly handle cross-site
redirects and can be exploited to disclose video data.
8) An error exits within the Data Access component when handling
multiple accounts configured on the same server and can be exploited
to disclose the cookie of another account.
9) The application accepts X.509 certificates with MD5 hashes, which
could lead to weak cryptographic certificates being used. This can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
10) A design error exists within the implementation of SSL 3.0 and
TLS 1.0 protocols.
For more information:
SA46168
11) An error within ImageIO when handling CCITT Group 4 encoded TIFF
files can be exploited to cause a buffer overflow.
For more information see vulnerability #1 in:
SA43593
12) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
For more information see vulnerability #9 in:
SA45325
13) An error within ICU (International Components for Unicode) can be
exploited to cause a buffer overflow.
For more information see vulnerability #11 in:
SA45054
14) An error within the kernel does not reclaim memory from
incomplete TCP connections, which can be exploited to exhaust system
resources by connecting to a listening service and cause the device
to reset.
15) A NULL-pointer dereference error within the kernel when handling
IPv6 socket options can be exploited to cause the device to reset.
16) An error within libxml can be exploited to cause a heap-based
buffer overflow.
For more information see vulnerability #12 in:
SA45325
17) An error within OfficeImport when viewing certain Microsoft Word
files can be exploited to cause a buffer overflow.
18) An error within OfficeImport when viewing certain Microsoft Excel
files can be exploited to cause a buffer overflow.
19) An indexing error exists in the OfficeImport framework when
processing certain records in a Microsoft Word file.
For more information see vulnerability #19 in:
SA45054
20) An error in the OfficeImport framework when processing records
can be exploited to corrupt memory.
For more information see vulnerability #28 in:
SA43814
21) An error within Safari does not properly handle the "attachment"
HTTP Content-Disposition header and can be exploited to conduct
cross-site scripting attacks.
22) The parental restrictions feature stores the restrictions
passcode in plaintext on disk and can be exploited to disclose the
passcode.
23) An error within UIKit does not properly handle "tel:" URIs and
can be exploited to cause the device to hang by tricking the user
into visiting a malicious website.
24) Some vulnerabilities are caused due to a bundled vulnerable
version of WebKit.
For more information:
SA43519
SA43683
SA43696
SA43859
SA45097
SA45325
SA45325
SA45498
SA45498
SA46339
SA46412
25) The WiFi credentials are stored in a file readable by other
applications, which may lead to the credentials being disclosed.
SOLUTION:
Apply iOS 5 Software Update.
PROVIDED AND/OR DISCOVERED BY:
1) Leszek Tasiemski, nSense.
6, 9) Reported by the vendor.
The vendor credits:
2) Rick Deacon
3) Peter Quade, qdevelop
4) Erling Ellingsen, Facebook.
7) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
8) Bob Sielken, IBM
14) Wouter van der Veer, Topicus and Josh Enders
15) Thomas Clement, Intego
17) Tobias Klein via iDefense.
18) Tobias Klein, www.trapkit.de
21) Christian Matthies via iDefense and Yoshinori Oota, Business
Architects via JP/CERT.
22) An anonymous person
23) Simon Young, Anglia Ruskin University
25) Laurent OUDOT, TEHTRI Security
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4999
nSense:
http://www.nsense.fi/advisories/nsense_2011_006.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. The OfficeImport framework is used by several
applications, including MobileMail and MobileSafari. Both of these
applications are attack vectors for this vulnerability. For more
information, see the vendor's site found at the following link.
http://www.apple.com/iphone/softwareupdate/
II.
The vulnerability occurs when parsing a Word file with a maliciously
constructed record. Specific values within this record can trigger a
memory corruption vulnerability and result in values from the file being
used as function pointers.
III. To exploit this
vulnerability, an attacker has several attack vectors. The most
dangerous vector is through MobileSafari, which will automatically open
and parse Office files embedded in Web pages. This behavior is similar
to Microsoft Office 2000, in that it enables drive-by style attacks
without any user interaction beyond visiting a Web page (no file open
dialog is displayed, the file is simply opened). Additionally, an
attacker can e-mail a targeted user and attach a malicious file. The
user will then have to view the e-mail and attachment with MobileMail to
trigger the vulnerability.
IV. DETECTION
iOS versions prior to 5 are vulnerable.
V. WORKAROUND
iDefense is currently unaware of any workarounds for this issue.
VI. VENDOR RESPONSE
Apple has released a fix which addresses this issue. Information about
downloadable vendor updates can be found by clicking on the URLs shown.
http://lists.apple.com/archives/Security-announce/2011/Oct/msg00001.html
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2011-3260 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
10/27/2010 Initial Vendor Notification
10/27/2010 Vendor Reply
10/12/2011 Coordinated Public Disclosure
IX.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright © 2011 Verisign
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information
| VAR-201110-0320 | CVE-2011-3255 | Apple iOS of CFNetwork Vulnerability in which important information is obtained |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
CFNetwork in Apple iOS before 5 stores AppleID credentials in an unspecified file, which makes it easier for remote attackers to obtain sensitive information via a crafted application. Apple iOS is prone to an information-disclosure vulnerability.
A local attacker can exploit this issue to retrieve a local user's password. Information obtained may aid in further attacks.
The following Apple systems are vulnerable:
iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
NOTE: This issue was previously discussed in BID 50086 (Apple iPhone/iPad/iPod touch Prior to iOS 5 Multiple Vulnerabilities) but has been given its own record to better document it. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA46377
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46377/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
RELEASE DATE:
2011-10-14
DISCUSS ADVISORY:
http://secunia.com/advisories/46377/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46377/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people with physical access to disclose
certain information and by malicious people to conduct script
insertion, cross-site scripting, and spoofing attacks, disclose
sensitive information, bypass certain security restrictions, cause a
DoS (Denial of Service), and compromise a user's device.
1) An error within the CalDAV component does not properly validate
the SSL certificate when synchronizing the calendar, which can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
2) Input passed via invitation notes is not properly sanitised in
Calendar before being returned to the user. This can be exploited to
insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious invitation is being viewed.
3) The CFNetwork component stores a user's AppleID password and
username in the log file readable by applications, which can be
exploited to disclose the credentials.
4) The CFNetwork component does not properly restrict cross-domain
access of HTTP cookies, which can be exploited to access the cookies
of another web site.
5) An error exists within CoreFoundation when handling string
tokenization.
For more information see vulnerability #1 in:
SA46339
6) Multiple errors within CoreGraphics when handling the certain
freetype fonts can be exploited to corrupt memory.
7) An error within CoreMedia does not properly handle cross-site
redirects and can be exploited to disclose video data.
8) An error exits within the Data Access component when handling
multiple accounts configured on the same server and can be exploited
to disclose the cookie of another account.
9) The application accepts X.509 certificates with MD5 hashes, which
could lead to weak cryptographic certificates being used. This can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
10) A design error exists within the implementation of SSL 3.0 and
TLS 1.0 protocols.
For more information:
SA46168
11) An error within ImageIO when handling CCITT Group 4 encoded TIFF
files can be exploited to cause a buffer overflow.
For more information see vulnerability #1 in:
SA43593
12) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
For more information see vulnerability #9 in:
SA45325
13) An error within ICU (International Components for Unicode) can be
exploited to cause a buffer overflow.
For more information see vulnerability #11 in:
SA45054
14) An error within the kernel does not reclaim memory from
incomplete TCP connections, which can be exploited to exhaust system
resources by connecting to a listening service and cause the device
to reset.
15) A NULL-pointer dereference error within the kernel when handling
IPv6 socket options can be exploited to cause the device to reset.
16) An error within libxml can be exploited to cause a heap-based
buffer overflow.
For more information see vulnerability #12 in:
SA45325
17) An error within OfficeImport when viewing certain Microsoft Word
files can be exploited to cause a buffer overflow.
18) An error within OfficeImport when viewing certain Microsoft Excel
files can be exploited to cause a buffer overflow.
19) An indexing error exists in the OfficeImport framework when
processing certain records in a Microsoft Word file.
For more information see vulnerability #19 in:
SA45054
20) An error in the OfficeImport framework when processing records
can be exploited to corrupt memory.
For more information see vulnerability #28 in:
SA43814
21) An error within Safari does not properly handle the "attachment"
HTTP Content-Disposition header and can be exploited to conduct
cross-site scripting attacks.
22) The parental restrictions feature stores the restrictions
passcode in plaintext on disk and can be exploited to disclose the
passcode.
23) An error within UIKit does not properly handle "tel:" URIs and
can be exploited to cause the device to hang by tricking the user
into visiting a malicious website.
24) Some vulnerabilities are caused due to a bundled vulnerable
version of WebKit.
For more information:
SA43519
SA43683
SA43696
SA43859
SA45097
SA45325
SA45325
SA45498
SA45498
SA46339
SA46412
25) The WiFi credentials are stored in a file readable by other
applications, which may lead to the credentials being disclosed.
Successful exploitation of vulnerabilities #6, #16 \x96 #20, and #24 may
allow execution of arbitrary code.
SOLUTION:
Apply iOS 5 Software Update.
PROVIDED AND/OR DISCOVERED BY:
1) Leszek Tasiemski, nSense.
6, 9) Reported by the vendor.
The vendor credits:
2) Rick Deacon
3) Peter Quade, qdevelop
4) Erling Ellingsen, Facebook.
7) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
8) Bob Sielken, IBM
14) Wouter van der Veer, Topicus and Josh Enders
15) Thomas Clement, Intego
17) Tobias Klein via iDefense.
18) Tobias Klein, www.trapkit.de
21) Christian Matthies via iDefense and Yoshinori Oota, Business
Architects via JP/CERT.
22) An anonymous person
23) Simon Young, Anglia Ruskin University
25) Laurent OUDOT, TEHTRI Security
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4999
nSense:
http://www.nsense.fi/advisories/nsense_2011_006.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201110-0319 | CVE-2011-3254 | Apple iOS Calendar cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in Calendar in Apple iOS before 5 allows remote attackers to inject arbitrary web script or HTML via an invitation note.
An attacker may leverage this issue to execute arbitrary script code in the local domain. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
The following Apple systems are vulnerable:
iOS 4.2.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 4.2.0 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 4.2.0 through 4.3.5 for iPad
NOTE: This issue was previously discussed in BID 50086 (Apple iPhone/iPad/iPod touch Prior to iOS 5 Multiple Vulnerabilities) but has been given its own record to better document it. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA46377
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46377/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
RELEASE DATE:
2011-10-14
DISCUSS ADVISORY:
http://secunia.com/advisories/46377/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46377/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people with physical access to disclose
certain information and by malicious people to conduct script
insertion, cross-site scripting, and spoofing attacks, disclose
sensitive information, bypass certain security restrictions, cause a
DoS (Denial of Service), and compromise a user's device.
1) An error within the CalDAV component does not properly validate
the SSL certificate when synchronizing the calendar, which can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
2) Input passed via invitation notes is not properly sanitised in
Calendar before being returned to the user. This can be exploited to
insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious invitation is being viewed.
3) The CFNetwork component stores a user's AppleID password and
username in the log file readable by applications, which can be
exploited to disclose the credentials.
4) The CFNetwork component does not properly restrict cross-domain
access of HTTP cookies, which can be exploited to access the cookies
of another web site.
5) An error exists within CoreFoundation when handling string
tokenization.
For more information see vulnerability #1 in:
SA46339
6) Multiple errors within CoreGraphics when handling the certain
freetype fonts can be exploited to corrupt memory.
7) An error within CoreMedia does not properly handle cross-site
redirects and can be exploited to disclose video data.
8) An error exits within the Data Access component when handling
multiple accounts configured on the same server and can be exploited
to disclose the cookie of another account.
9) The application accepts X.509 certificates with MD5 hashes, which
could lead to weak cryptographic certificates being used. This can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
10) A design error exists within the implementation of SSL 3.0 and
TLS 1.0 protocols.
For more information:
SA46168
11) An error within ImageIO when handling CCITT Group 4 encoded TIFF
files can be exploited to cause a buffer overflow.
For more information see vulnerability #1 in:
SA43593
12) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
For more information see vulnerability #9 in:
SA45325
13) An error within ICU (International Components for Unicode) can be
exploited to cause a buffer overflow.
For more information see vulnerability #11 in:
SA45054
14) An error within the kernel does not reclaim memory from
incomplete TCP connections, which can be exploited to exhaust system
resources by connecting to a listening service and cause the device
to reset.
15) A NULL-pointer dereference error within the kernel when handling
IPv6 socket options can be exploited to cause the device to reset.
16) An error within libxml can be exploited to cause a heap-based
buffer overflow.
For more information see vulnerability #12 in:
SA45325
17) An error within OfficeImport when viewing certain Microsoft Word
files can be exploited to cause a buffer overflow.
18) An error within OfficeImport when viewing certain Microsoft Excel
files can be exploited to cause a buffer overflow.
19) An indexing error exists in the OfficeImport framework when
processing certain records in a Microsoft Word file.
For more information see vulnerability #19 in:
SA45054
20) An error in the OfficeImport framework when processing records
can be exploited to corrupt memory.
For more information see vulnerability #28 in:
SA43814
21) An error within Safari does not properly handle the "attachment"
HTTP Content-Disposition header and can be exploited to conduct
cross-site scripting attacks.
22) The parental restrictions feature stores the restrictions
passcode in plaintext on disk and can be exploited to disclose the
passcode.
23) An error within UIKit does not properly handle "tel:" URIs and
can be exploited to cause the device to hang by tricking the user
into visiting a malicious website.
24) Some vulnerabilities are caused due to a bundled vulnerable
version of WebKit.
For more information:
SA43519
SA43683
SA43696
SA43859
SA45097
SA45325
SA45325
SA45498
SA45498
SA46339
SA46412
25) The WiFi credentials are stored in a file readable by other
applications, which may lead to the credentials being disclosed.
Successful exploitation of vulnerabilities #6, #16 \x96 #20, and #24 may
allow execution of arbitrary code.
SOLUTION:
Apply iOS 5 Software Update.
PROVIDED AND/OR DISCOVERED BY:
1) Leszek Tasiemski, nSense.
6, 9) Reported by the vendor.
The vendor credits:
2) Rick Deacon
3) Peter Quade, qdevelop
4) Erling Ellingsen, Facebook.
7) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
8) Bob Sielken, IBM
14) Wouter van der Veer, Topicus and Josh Enders
15) Thomas Clement, Intego
17) Tobias Klein via iDefense.
18) Tobias Klein, www.trapkit.de
21) Christian Matthies via iDefense and Yoshinori Oota, Business
Architects via JP/CERT.
22) An anonymous person
23) Simon Young, Anglia Ruskin University
25) Laurent OUDOT, TEHTRI Security
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4999
nSense:
http://www.nsense.fi/advisories/nsense_2011_006.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201110-0301 | CVE-2011-3437 | Apple Mac OS X of Apple Type Services (ATS) Integer sign error vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Integer signedness error in Apple Type Services (ATS) in Apple Mac OS X 10.7 before 10.7.2 allows remote attackers to execute arbitrary code via a crafted embedded Type 1 font in a document.
The update addresses new vulnerabilities that affect Application Firewall, ATS, CFNetwork, CoreMedia, CoreProcesses, CoreStorage, File Systems, IOGraphics, Kernel, MediaKit, Open Directory, QuickTime, SMB File Server, User Documentation, and libsecurity.
Attackers can exploit this issue to execute arbitrary code in the context of the affected application. Failed attacks will cause denial-of-service conditions.
OS X versions 10.7.x prior to 10.7.2 are affected.
NOTE: This issue was previously discussed in BID 50085 (Apple Mac OS X Prior to 10.7.2 Multiple Security Vulnerabilities) but has been given its own record to better document it. Apple has
released updates to address these vulnerabilities.
I. Apple has released updates to address these
vulnerabilities.
II. Impact
A remote, unauthenticated attacker could execute arbitrary code,
cause a denial of service, or gain unauthorized access to your
files or system.
III. This advisory describes any known issues related to the
updates and the specific impacts for each vulnerability.
Administrators are encouraged to note these issues and impacts and
test for any potentially adverse effects before wide-scale
deployment.
IV. Please send
email to <cert@cert.org> with "TA11-286A Feedback VU#421739" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2011 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
October 13, 2011: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBTpb8zj/GkGVXE7GMAQI21Af/SHWzIangqPW9vtuG/MQWSBMy9nG4wIZS
DUEAWBEMPTKF3fLrIy6TVpRLN3q/q4dCYXzM4lec4IzKvEbV/bUyg15xEfYdxB0v
s/vARGNwf7tjSbjo+PaHLuSZ1HLn/GLO3CXaf+ut/Kb8y9Fsir5klMgrCX/N0JkY
dLoV9R6zGs1aQzmF9ULB1IQ2/lUkg6CGnyARh0prfhRFwKfu7NZXb8yz5ex68q6V
NF6j9l+XK0Cl4K7R+0ESD4e47jLCg6iN175O8VzrlxiRvBRAyTaFycdMB4uSkmii
xu8SqU2QFhsIJy8J+i1Bb6kuWkaxAnUbxO4tRrmXoqTXl9m0CtpnWA==
=3Wp2
-----END PGP SIGNATURE-----
| VAR-201110-0318 | CVE-2011-3253 | Apple iOS of CalDAV Vulnerability in which important information is obtained |
CVSS V2: 2.6 CVSS V3: - Severity: LOW |
CalDAV in Apple iOS before 5 does not validate X.509 certificates for SSL sessions, which allows man-in-the-middle attackers to spoof calendar servers and obtain sensitive information via an arbitrary certificate. Apple iOS is prone to an information-disclosure vulnerability that affects the calendar synchronization feature.
Attackers can exploit this issue to obtain sensitive information from CalDAV communications.
An attacker can exploit this issue through man-in-the-middle attacks by impersonating a trusted server. This may allow the attacker to obtain credentials or other sensitive information or give users a false sense of security. Information harvested may aid in further attacks.
NOTE: This issue was previously discussed in BID 50086 (Apple iPhone/iPad/iPod touch Prior to iOS 5 Multiple Vulnerabilities) but has been given its own record to better document it. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA46377
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46377/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
RELEASE DATE:
2011-10-14
DISCUSS ADVISORY:
http://secunia.com/advisories/46377/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46377/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people with physical access to disclose
certain information and by malicious people to conduct script
insertion, cross-site scripting, and spoofing attacks, disclose
sensitive information, bypass certain security restrictions, cause a
DoS (Denial of Service), and compromise a user's device.
1) An error within the CalDAV component does not properly validate
the SSL certificate when synchronizing the calendar, which can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
2) Input passed via invitation notes is not properly sanitised in
Calendar before being returned to the user. This can be exploited to
insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious invitation is being viewed.
3) The CFNetwork component stores a user's AppleID password and
username in the log file readable by applications, which can be
exploited to disclose the credentials.
4) The CFNetwork component does not properly restrict cross-domain
access of HTTP cookies, which can be exploited to access the cookies
of another web site.
5) An error exists within CoreFoundation when handling string
tokenization.
For more information see vulnerability #1 in:
SA46339
6) Multiple errors within CoreGraphics when handling the certain
freetype fonts can be exploited to corrupt memory.
7) An error within CoreMedia does not properly handle cross-site
redirects and can be exploited to disclose video data.
8) An error exits within the Data Access component when handling
multiple accounts configured on the same server and can be exploited
to disclose the cookie of another account.
9) The application accepts X.509 certificates with MD5 hashes, which
could lead to weak cryptographic certificates being used. This can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
10) A design error exists within the implementation of SSL 3.0 and
TLS 1.0 protocols.
For more information:
SA46168
11) An error within ImageIO when handling CCITT Group 4 encoded TIFF
files can be exploited to cause a buffer overflow.
For more information see vulnerability #1 in:
SA43593
12) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
For more information see vulnerability #9 in:
SA45325
13) An error within ICU (International Components for Unicode) can be
exploited to cause a buffer overflow.
For more information see vulnerability #11 in:
SA45054
14) An error within the kernel does not reclaim memory from
incomplete TCP connections, which can be exploited to exhaust system
resources by connecting to a listening service and cause the device
to reset.
15) A NULL-pointer dereference error within the kernel when handling
IPv6 socket options can be exploited to cause the device to reset.
16) An error within libxml can be exploited to cause a heap-based
buffer overflow.
For more information see vulnerability #12 in:
SA45325
17) An error within OfficeImport when viewing certain Microsoft Word
files can be exploited to cause a buffer overflow.
18) An error within OfficeImport when viewing certain Microsoft Excel
files can be exploited to cause a buffer overflow.
19) An indexing error exists in the OfficeImport framework when
processing certain records in a Microsoft Word file.
For more information see vulnerability #19 in:
SA45054
20) An error in the OfficeImport framework when processing records
can be exploited to corrupt memory.
For more information see vulnerability #28 in:
SA43814
21) An error within Safari does not properly handle the "attachment"
HTTP Content-Disposition header and can be exploited to conduct
cross-site scripting attacks.
22) The parental restrictions feature stores the restrictions
passcode in plaintext on disk and can be exploited to disclose the
passcode.
23) An error within UIKit does not properly handle "tel:" URIs and
can be exploited to cause the device to hang by tricking the user
into visiting a malicious website.
24) Some vulnerabilities are caused due to a bundled vulnerable
version of WebKit.
For more information:
SA43519
SA43683
SA43696
SA43859
SA45097
SA45325
SA45325
SA45498
SA45498
SA46339
SA46412
25) The WiFi credentials are stored in a file readable by other
applications, which may lead to the credentials being disclosed.
Successful exploitation of vulnerabilities #6, #16 \x96 #20, and #24 may
allow execution of arbitrary code.
SOLUTION:
Apply iOS 5 Software Update.
PROVIDED AND/OR DISCOVERED BY:
1) Leszek Tasiemski, nSense.
6, 9) Reported by the vendor.
The vendor credits:
2) Rick Deacon
3) Peter Quade, qdevelop
4) Erling Ellingsen, Facebook.
7) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
8) Bob Sielken, IBM
14) Wouter van der Veer, Topicus and Josh Enders
15) Thomas Clement, Intego
17) Tobias Klein via iDefense.
18) Tobias Klein, www.trapkit.de
21) Christian Matthies via iDefense and Yoshinori Oota, Business
Architects via JP/CERT.
22) An anonymous person
23) Simon Young, Anglia Ruskin University
25) Laurent OUDOT, TEHTRI Security
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4999
nSense:
http://www.nsense.fi/advisories/nsense_2011_006.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. nSense Vulnerability Research Security Advisory NSENSE-2011-006
---------------------------------------------------------------
t2'11 infosec conference special release
http://www.t2.fi
---------------------------------------------------------------
Affected Vendor: Apple Inc.
Affected Product: CalDAV (iOS 3.0 through 4.3.5 for iPhone 3GS
and iPhone 4, iOS 3.1 through 4.3.5 for iPod
touch (3rd generation) and later, iOS 3.2
through 4.3.5 for iPad)
Platform: iOS
Impact: Sensitive information interception
Vendor response: New version released
CVE: CVE-2011-3253
Credit: Leszek / nSense
Release date: 12 Oct 2011
Technical details
---------------------------------------------------------------
The calendar synchronization feature of iOS fails to validate
the SSL certificate provided by the server. Therefore, CalDAV
communication can be intercepted by a basic man in the middle
attack. As every request contains a HTTP basic authentication
header, which contains base64-encoded credentials, it is
possible to intercept email account credentials by an attacker
that is suitably positioned (e.g. the same LAN, WLAN) or is
able to tamper with DNS records pointing to the CalDAV server.
The application accepts the untrusted certificate without any
warning or prompt, so the attack will go unnoticed by the user.
Timeline:
20110407 nSense informed the vendor about the vulnerability
20110409 Vendor started to investigate the issue
20110415 nSense sent a status update request to the vendor
20110415 Vendor provided a status update
20110420 nSense asked the vendor for further information
20110502 nSense resent the previous questions
20110502 Vendor confirmed the vulnerability
20110525 nSense asked the vendor about the patch schedule
20110527 Vendor responded
20110527 nSense asked the vendor for further information
20110531 Vendor responded, unable to provide a date
20110601 nSense asked the vendor for clarification
20110603 Vendor responded
20110603 nSense resent the previous question
20110607 nSense commented the issue, asked the vendor for
clarification
20110705 nSense asked the vendor for clarification
20110726 nSense asked the vendor whether 4.3.5 fixed the
issue
20110727 Vendor responded. Issue not fixed.
20110728 nSense asked the vendor for further details
20110917 Vendor asked for credit information
20110917 nSense responded
20111002 Vendor confirmed release date
20111012 Vendor releases fixed version of the software
20111012 Vendor releases public advisory
Solution:
Apple security updates are available via the Software Update
mechanism: http://support.apple.com/kb/HT1338
Apple security updates are also available for manual download
via: http://www.apple.com/support/downloads/
More information from Apple Inc.:
http://support.apple.com/kb/HT1222
Links:
http://www.nsense.fi http://www.nsense.dk
$$s$$$$s. ,s$$$$s ,S$$$$$s. $$s$$$$s. ,s$$$$s ,S$$$$$s.
$$$ `$$$ ($$( $$$ `$$$ $$$ `$$$ ($$( $$$ `$$$
$$$ $$$ `^$$s. $$$$$$$$$ $$$ $$$ `^$$s. $$$$$$$$$
$$$ $$$ )$$) $$$ $$$ $$$ )$$) $$$
$$$ $$$ ^$$$$$$7 `7$$$$$P $$$ $$$ ^$$$$$$7 `7$$$$$P
D r i v e n b y t h e c h a l l e n g e _
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201110-0300 | CVE-2011-3436 | Apple Mac OS of Open Directory Vulnerable to bypassing password change restrictions |
CVSS V2: 6.5 CVSS V3: - Severity: MEDIUM |
Open Directory in Apple Mac OS X 10.7 before 10.7.2 does not require a user to provide the current password before changing this password, which allows remote attackers to bypass intended password-change restrictions by leveraging an unattended workstation. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2011-006.
The update addresses new vulnerabilities that affect Application Firewall, ATS, CFNetwork, CoreMedia, CoreProcesses, CoreStorage, File Systems, IOGraphics, Kernel, MediaKit, Open Directory, QuickTime, SMB File Server, User Documentation, and libsecurity.
These issues affect OS X prior to 10.7.2.
An attacker can exploit this issue to change a user's password, aiding further attacks. Apple has
released updates to address these vulnerabilities.
I. Apple has released updates to address these
vulnerabilities.
II. Impact
A remote, unauthenticated attacker could execute arbitrary code,
cause a denial of service, or gain unauthorized access to your
files or system.
III. This advisory describes any known issues related to the
updates and the specific impacts for each vulnerability.
Administrators are encouraged to note these issues and impacts and
test for any potentially adverse effects before wide-scale
deployment.
IV. Please send
email to <cert@cert.org> with "TA11-286A Feedback VU#421739" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2011 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
October 13, 2011: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBTpb8zj/GkGVXE7GMAQI21Af/SHWzIangqPW9vtuG/MQWSBMy9nG4wIZS
DUEAWBEMPTKF3fLrIy6TVpRLN3q/q4dCYXzM4lec4IzKvEbV/bUyg15xEfYdxB0v
s/vARGNwf7tjSbjo+PaHLuSZ1HLn/GLO3CXaf+ut/Kb8y9Fsir5klMgrCX/N0JkY
dLoV9R6zGs1aQzmF9ULB1IQ2/lUkg6CGnyARh0prfhRFwKfu7NZXb8yz5ex68q6V
NF6j9l+XK0Cl4K7R+0ESD4e47jLCg6iN175O8VzrlxiRvBRAyTaFycdMB4uSkmii
xu8SqU2QFhsIJy8J+i1Bb6kuWkaxAnUbxO4tRrmXoqTXl9m0CtpnWA==
=3Wp2
-----END PGP SIGNATURE-----
| VAR-201110-0299 | CVE-2011-3435 | Apple Mac OS X Vulnerabilities in browsing password data in Open Directory |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
Open Directory in Apple Mac OS X 10.7 before 10.7.2 allows local users to read the password data of arbitrary users via unspecified vectors.
The update addresses new vulnerabilities that affect Application Firewall, ATS, CFNetwork, CoreMedia, CoreProcesses, CoreStorage, File Systems, IOGraphics, Kernel, MediaKit, Open Directory, QuickTime, SMB File Server, User Documentation, and libsecurity.
These issues affect OS X prior to 10.7.2. Apple Mac OS X is prone to an information-disclosure vulnerability.
A local attacker can exploit this issue to retrieve a local user's password from the vulnerable computer. Information obtained may aid in further attacks.
Apple Mac OS X Lion 10.7 and 10.7.1 are vulnerable.
NOTE: This issue was previously discussed in BID 50085 (Apple Mac OS X Prior to 10.7.2 Multiple Security Vulnerabilities) but has been given its own record to better document it. Apple has
released updates to address these vulnerabilities.
I. Apple has released updates to address these
vulnerabilities.
II. Impact
A remote, unauthenticated attacker could execute arbitrary code,
cause a denial of service, or gain unauthorized access to your
files or system.
III. This advisory describes any known issues related to the
updates and the specific impacts for each vulnerability.
Administrators are encouraged to note these issues and impacts and
test for any potentially adverse effects before wide-scale
deployment.
IV. Please send
email to <cert@cert.org> with "TA11-286A Feedback VU#421739" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2011 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
October 13, 2011: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBTpb8zj/GkGVXE7GMAQI21Af/SHWzIangqPW9vtuG/MQWSBMy9nG4wIZS
DUEAWBEMPTKF3fLrIy6TVpRLN3q/q4dCYXzM4lec4IzKvEbV/bUyg15xEfYdxB0v
s/vARGNwf7tjSbjo+PaHLuSZ1HLn/GLO3CXaf+ut/Kb8y9Fsir5klMgrCX/N0JkY
dLoV9R6zGs1aQzmF9ULB1IQ2/lUkg6CGnyARh0prfhRFwKfu7NZXb8yz5ex68q6V
NF6j9l+XK0Cl4K7R+0ESD4e47jLCg6iN175O8VzrlxiRvBRAyTaFycdMB4uSkmii
xu8SqU2QFhsIJy8J+i1Bb6kuWkaxAnUbxO4tRrmXoqTXl9m0CtpnWA==
=3Wp2
-----END PGP SIGNATURE-----
| VAR-201110-0298 | CVE-2011-3434 | Apple iOS of WiFi Vulnerabilities that can capture important information in components |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The WiFi component in Apple iOS before 5 stores WiFi credentials in an unspecified file, which makes it easier for remote attackers to obtain sensitive information via a crafted application. Apple iOS is prone to an information-disclosure vulnerability.
A local attacker can exploit this issue to retrieve WiFi credentials. Information obtained may aid in further attacks.
The following Apple systems are vulnerable:
iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
NOTE: This issue was previously discussed in BID 50086 (Apple iPhone/iPad/iPod touch Prior to iOS 5 Multiple Vulnerabilities) but has been given its own record to better document it. A trust management vulnerability exists in the WiFi component of Apple iOS versions prior to 5. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA46377
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46377/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
RELEASE DATE:
2011-10-14
DISCUSS ADVISORY:
http://secunia.com/advisories/46377/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46377/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people with physical access to disclose
certain information and by malicious people to conduct script
insertion, cross-site scripting, and spoofing attacks, disclose
sensitive information, bypass certain security restrictions, cause a
DoS (Denial of Service), and compromise a user's device.
1) An error within the CalDAV component does not properly validate
the SSL certificate when synchronizing the calendar, which can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
2) Input passed via invitation notes is not properly sanitised in
Calendar before being returned to the user. This can be exploited to
insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious invitation is being viewed.
3) The CFNetwork component stores a user's AppleID password and
username in the log file readable by applications, which can be
exploited to disclose the credentials.
4) The CFNetwork component does not properly restrict cross-domain
access of HTTP cookies, which can be exploited to access the cookies
of another web site.
5) An error exists within CoreFoundation when handling string
tokenization.
For more information see vulnerability #1 in:
SA46339
6) Multiple errors within CoreGraphics when handling the certain
freetype fonts can be exploited to corrupt memory.
7) An error within CoreMedia does not properly handle cross-site
redirects and can be exploited to disclose video data.
8) An error exits within the Data Access component when handling
multiple accounts configured on the same server and can be exploited
to disclose the cookie of another account.
9) The application accepts X.509 certificates with MD5 hashes, which
could lead to weak cryptographic certificates being used. This can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
10) A design error exists within the implementation of SSL 3.0 and
TLS 1.0 protocols.
For more information:
SA46168
11) An error within ImageIO when handling CCITT Group 4 encoded TIFF
files can be exploited to cause a buffer overflow.
For more information see vulnerability #1 in:
SA43593
12) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
For more information see vulnerability #9 in:
SA45325
13) An error within ICU (International Components for Unicode) can be
exploited to cause a buffer overflow.
For more information see vulnerability #11 in:
SA45054
14) An error within the kernel does not reclaim memory from
incomplete TCP connections, which can be exploited to exhaust system
resources by connecting to a listening service and cause the device
to reset.
15) A NULL-pointer dereference error within the kernel when handling
IPv6 socket options can be exploited to cause the device to reset.
16) An error within libxml can be exploited to cause a heap-based
buffer overflow.
For more information see vulnerability #12 in:
SA45325
17) An error within OfficeImport when viewing certain Microsoft Word
files can be exploited to cause a buffer overflow.
18) An error within OfficeImport when viewing certain Microsoft Excel
files can be exploited to cause a buffer overflow.
19) An indexing error exists in the OfficeImport framework when
processing certain records in a Microsoft Word file.
For more information see vulnerability #19 in:
SA45054
20) An error in the OfficeImport framework when processing records
can be exploited to corrupt memory.
For more information see vulnerability #28 in:
SA43814
21) An error within Safari does not properly handle the "attachment"
HTTP Content-Disposition header and can be exploited to conduct
cross-site scripting attacks.
22) The parental restrictions feature stores the restrictions
passcode in plaintext on disk and can be exploited to disclose the
passcode.
23) An error within UIKit does not properly handle "tel:" URIs and
can be exploited to cause the device to hang by tricking the user
into visiting a malicious website.
24) Some vulnerabilities are caused due to a bundled vulnerable
version of WebKit.
Successful exploitation of vulnerabilities #6, #16 \x96 #20, and #24 may
allow execution of arbitrary code.
SOLUTION:
Apply iOS 5 Software Update.
PROVIDED AND/OR DISCOVERED BY:
1) Leszek Tasiemski, nSense.
6, 9) Reported by the vendor.
The vendor credits:
2) Rick Deacon
3) Peter Quade, qdevelop
4) Erling Ellingsen, Facebook.
7) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
8) Bob Sielken, IBM
14) Wouter van der Veer, Topicus and Josh Enders
15) Thomas Clement, Intego
17) Tobias Klein via iDefense.
18) Tobias Klein, www.trapkit.de
21) Christian Matthies via iDefense and Yoshinori Oota, Business
Architects via JP/CERT.
22) An anonymous person
23) Simon Young, Anglia Ruskin University
25) Laurent OUDOT, TEHTRI Security
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4999
nSense:
http://www.nsense.fi/advisories/nsense_2011_006.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201110-0297 | CVE-2011-3432 | Apple iOS of UIKit Service disruption in the alert component ( Device hang ) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The UIKit Alerts component in Apple iOS before 5 allows remote attackers to cause a denial of service (device hang) via a long tel: URL that triggers a large size for the acceptance dialog. Apple iOS is prone to a denial-of-service vulnerability when handling specially crafted webpages.
Attackers can exploit this issue to cause the device to hang, denying service to legitimate users.
NOTE: This issue was previously discussed in BID 50086 (Apple iPhone/iPad/iPod touch Prior to iOS 5 Multiple Vulnerabilities) but has been given its own record to better document it. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. A resource management error vulnerability exists in the UIKit Alerts component in versions prior to Apple iOS 5. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA46377
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46377/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
RELEASE DATE:
2011-10-14
DISCUSS ADVISORY:
http://secunia.com/advisories/46377/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46377/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people with physical access to disclose
certain information and by malicious people to conduct script
insertion, cross-site scripting, and spoofing attacks, disclose
sensitive information, bypass certain security restrictions, cause a
DoS (Denial of Service), and compromise a user's device.
1) An error within the CalDAV component does not properly validate
the SSL certificate when synchronizing the calendar, which can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
2) Input passed via invitation notes is not properly sanitised in
Calendar before being returned to the user. This can be exploited to
insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious invitation is being viewed.
3) The CFNetwork component stores a user's AppleID password and
username in the log file readable by applications, which can be
exploited to disclose the credentials.
4) The CFNetwork component does not properly restrict cross-domain
access of HTTP cookies, which can be exploited to access the cookies
of another web site.
5) An error exists within CoreFoundation when handling string
tokenization.
For more information see vulnerability #1 in:
SA46339
6) Multiple errors within CoreGraphics when handling the certain
freetype fonts can be exploited to corrupt memory.
7) An error within CoreMedia does not properly handle cross-site
redirects and can be exploited to disclose video data.
8) An error exits within the Data Access component when handling
multiple accounts configured on the same server and can be exploited
to disclose the cookie of another account.
9) The application accepts X.509 certificates with MD5 hashes, which
could lead to weak cryptographic certificates being used. This can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
10) A design error exists within the implementation of SSL 3.0 and
TLS 1.0 protocols.
For more information:
SA46168
11) An error within ImageIO when handling CCITT Group 4 encoded TIFF
files can be exploited to cause a buffer overflow.
For more information see vulnerability #1 in:
SA43593
12) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
For more information see vulnerability #9 in:
SA45325
13) An error within ICU (International Components for Unicode) can be
exploited to cause a buffer overflow.
For more information see vulnerability #11 in:
SA45054
14) An error within the kernel does not reclaim memory from
incomplete TCP connections, which can be exploited to exhaust system
resources by connecting to a listening service and cause the device
to reset.
15) A NULL-pointer dereference error within the kernel when handling
IPv6 socket options can be exploited to cause the device to reset.
16) An error within libxml can be exploited to cause a heap-based
buffer overflow.
For more information see vulnerability #12 in:
SA45325
17) An error within OfficeImport when viewing certain Microsoft Word
files can be exploited to cause a buffer overflow.
18) An error within OfficeImport when viewing certain Microsoft Excel
files can be exploited to cause a buffer overflow.
19) An indexing error exists in the OfficeImport framework when
processing certain records in a Microsoft Word file.
For more information see vulnerability #19 in:
SA45054
20) An error in the OfficeImport framework when processing records
can be exploited to corrupt memory.
For more information see vulnerability #28 in:
SA43814
21) An error within Safari does not properly handle the "attachment"
HTTP Content-Disposition header and can be exploited to conduct
cross-site scripting attacks.
22) The parental restrictions feature stores the restrictions
passcode in plaintext on disk and can be exploited to disclose the
passcode.
24) Some vulnerabilities are caused due to a bundled vulnerable
version of WebKit.
For more information:
SA43519
SA43683
SA43696
SA43859
SA45097
SA45325
SA45325
SA45498
SA45498
SA46339
SA46412
25) The WiFi credentials are stored in a file readable by other
applications, which may lead to the credentials being disclosed.
Successful exploitation of vulnerabilities #6, #16 \x96 #20, and #24 may
allow execution of arbitrary code.
SOLUTION:
Apply iOS 5 Software Update.
PROVIDED AND/OR DISCOVERED BY:
1) Leszek Tasiemski, nSense.
6, 9) Reported by the vendor.
The vendor credits:
2) Rick Deacon
3) Peter Quade, qdevelop
4) Erling Ellingsen, Facebook.
7) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
8) Bob Sielken, IBM
14) Wouter van der Veer, Topicus and Josh Enders
15) Thomas Clement, Intego
17) Tobias Klein via iDefense.
18) Tobias Klein, www.trapkit.de
21) Christian Matthies via iDefense and Yoshinori Oota, Business
Architects via JP/CERT.
22) An anonymous person
23) Simon Young, Anglia Ruskin University
25) Laurent OUDOT, TEHTRI Security
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4999
nSense:
http://www.nsense.fi/advisories/nsense_2011_006.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201110-0295 | CVE-2011-3430 | Apple iOS Vulnerabilities affected by unknown details in configuration components |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
The Settings component in Apple iOS before 5, when a configuration profile is used for a locale other than English, does not properly implement localization, which makes it easier for attackers to have an unspecified impact by leveraging incorrect configuration display.
This weakness may cause unsuspecting users to set up unsafe configurations, resulting in a false sense of security. This may lead to other attacks. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. Vulnerabilities exist in the Settings component of Apple iOS versions prior to 5. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA46377
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46377/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
RELEASE DATE:
2011-10-14
DISCUSS ADVISORY:
http://secunia.com/advisories/46377/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46377/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people with physical access to disclose
certain information and by malicious people to conduct script
insertion, cross-site scripting, and spoofing attacks, disclose
sensitive information, bypass certain security restrictions, cause a
DoS (Denial of Service), and compromise a user's device.
1) An error within the CalDAV component does not properly validate
the SSL certificate when synchronizing the calendar, which can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
2) Input passed via invitation notes is not properly sanitised in
Calendar before being returned to the user. This can be exploited to
insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious invitation is being viewed.
3) The CFNetwork component stores a user's AppleID password and
username in the log file readable by applications, which can be
exploited to disclose the credentials.
4) The CFNetwork component does not properly restrict cross-domain
access of HTTP cookies, which can be exploited to access the cookies
of another web site.
5) An error exists within CoreFoundation when handling string
tokenization.
For more information see vulnerability #1 in:
SA46339
6) Multiple errors within CoreGraphics when handling the certain
freetype fonts can be exploited to corrupt memory.
7) An error within CoreMedia does not properly handle cross-site
redirects and can be exploited to disclose video data.
8) An error exits within the Data Access component when handling
multiple accounts configured on the same server and can be exploited
to disclose the cookie of another account.
9) The application accepts X.509 certificates with MD5 hashes, which
could lead to weak cryptographic certificates being used. This can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
10) A design error exists within the implementation of SSL 3.0 and
TLS 1.0 protocols.
For more information:
SA46168
11) An error within ImageIO when handling CCITT Group 4 encoded TIFF
files can be exploited to cause a buffer overflow.
For more information see vulnerability #1 in:
SA43593
12) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
For more information see vulnerability #9 in:
SA45325
13) An error within ICU (International Components for Unicode) can be
exploited to cause a buffer overflow.
For more information see vulnerability #11 in:
SA45054
14) An error within the kernel does not reclaim memory from
incomplete TCP connections, which can be exploited to exhaust system
resources by connecting to a listening service and cause the device
to reset.
15) A NULL-pointer dereference error within the kernel when handling
IPv6 socket options can be exploited to cause the device to reset.
16) An error within libxml can be exploited to cause a heap-based
buffer overflow.
For more information see vulnerability #12 in:
SA45325
17) An error within OfficeImport when viewing certain Microsoft Word
files can be exploited to cause a buffer overflow.
18) An error within OfficeImport when viewing certain Microsoft Excel
files can be exploited to cause a buffer overflow.
19) An indexing error exists in the OfficeImport framework when
processing certain records in a Microsoft Word file.
For more information see vulnerability #19 in:
SA45054
20) An error in the OfficeImport framework when processing records
can be exploited to corrupt memory.
For more information see vulnerability #28 in:
SA43814
21) An error within Safari does not properly handle the "attachment"
HTTP Content-Disposition header and can be exploited to conduct
cross-site scripting attacks.
22) The parental restrictions feature stores the restrictions
passcode in plaintext on disk and can be exploited to disclose the
passcode.
23) An error within UIKit does not properly handle "tel:" URIs and
can be exploited to cause the device to hang by tricking the user
into visiting a malicious website.
24) Some vulnerabilities are caused due to a bundled vulnerable
version of WebKit.
For more information:
SA43519
SA43683
SA43696
SA43859
SA45097
SA45325
SA45325
SA45498
SA45498
SA46339
SA46412
25) The WiFi credentials are stored in a file readable by other
applications, which may lead to the credentials being disclosed.
Successful exploitation of vulnerabilities #6, #16 \x96 #20, and #24 may
allow execution of arbitrary code.
SOLUTION:
Apply iOS 5 Software Update.
PROVIDED AND/OR DISCOVERED BY:
1) Leszek Tasiemski, nSense.
6, 9) Reported by the vendor.
The vendor credits:
2) Rick Deacon
3) Peter Quade, qdevelop
4) Erling Ellingsen, Facebook.
7) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
8) Bob Sielken, IBM
14) Wouter van der Veer, Topicus and Josh Enders
15) Thomas Clement, Intego
17) Tobias Klein via iDefense.
18) Tobias Klein, www.trapkit.de
21) Christian Matthies via iDefense and Yoshinori Oota, Business
Architects via JP/CERT.
22) An anonymous person
23) Simon Young, Anglia Ruskin University
25) Laurent OUDOT, TEHTRI Security
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4999
nSense:
http://www.nsense.fi/advisories/nsense_2011_006.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201110-0296 | CVE-2011-3431 | Apple iOS Vulnerability in obtaining critical state information in the home screen component |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
The Home screen component in Apple iOS before 5 does not properly support a certain application-switching gesture, which might allow physically proximate attackers to obtain sensitive state information by watching the device's screen. Apple iOS is prone to an information-disclosure vulnerability.
A local attacker can exploit this issue to retrieve the previous application's state. Information obtained may aid in further attacks.
The following Apple systems are vulnerable:
iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
NOTE: This issue was previously discussed in BID 50086 (Apple iPhone/iPad/iPod touch Prior to iOS 5 Multiple Vulnerabilities) but has been given its own record to better document it. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA46377
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46377/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
RELEASE DATE:
2011-10-14
DISCUSS ADVISORY:
http://secunia.com/advisories/46377/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46377/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people with physical access to disclose
certain information and by malicious people to conduct script
insertion, cross-site scripting, and spoofing attacks, disclose
sensitive information, bypass certain security restrictions, cause a
DoS (Denial of Service), and compromise a user's device.
1) An error within the CalDAV component does not properly validate
the SSL certificate when synchronizing the calendar, which can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
2) Input passed via invitation notes is not properly sanitised in
Calendar before being returned to the user. This can be exploited to
insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious invitation is being viewed.
3) The CFNetwork component stores a user's AppleID password and
username in the log file readable by applications, which can be
exploited to disclose the credentials.
4) The CFNetwork component does not properly restrict cross-domain
access of HTTP cookies, which can be exploited to access the cookies
of another web site.
5) An error exists within CoreFoundation when handling string
tokenization.
For more information see vulnerability #1 in:
SA46339
6) Multiple errors within CoreGraphics when handling the certain
freetype fonts can be exploited to corrupt memory.
7) An error within CoreMedia does not properly handle cross-site
redirects and can be exploited to disclose video data.
8) An error exits within the Data Access component when handling
multiple accounts configured on the same server and can be exploited
to disclose the cookie of another account.
9) The application accepts X.509 certificates with MD5 hashes, which
could lead to weak cryptographic certificates being used. This can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
10) A design error exists within the implementation of SSL 3.0 and
TLS 1.0 protocols.
For more information:
SA46168
11) An error within ImageIO when handling CCITT Group 4 encoded TIFF
files can be exploited to cause a buffer overflow.
For more information see vulnerability #1 in:
SA43593
12) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
For more information see vulnerability #9 in:
SA45325
13) An error within ICU (International Components for Unicode) can be
exploited to cause a buffer overflow.
For more information see vulnerability #11 in:
SA45054
14) An error within the kernel does not reclaim memory from
incomplete TCP connections, which can be exploited to exhaust system
resources by connecting to a listening service and cause the device
to reset.
15) A NULL-pointer dereference error within the kernel when handling
IPv6 socket options can be exploited to cause the device to reset.
16) An error within libxml can be exploited to cause a heap-based
buffer overflow.
For more information see vulnerability #12 in:
SA45325
17) An error within OfficeImport when viewing certain Microsoft Word
files can be exploited to cause a buffer overflow.
18) An error within OfficeImport when viewing certain Microsoft Excel
files can be exploited to cause a buffer overflow.
19) An indexing error exists in the OfficeImport framework when
processing certain records in a Microsoft Word file.
For more information see vulnerability #19 in:
SA45054
20) An error in the OfficeImport framework when processing records
can be exploited to corrupt memory.
For more information see vulnerability #28 in:
SA43814
21) An error within Safari does not properly handle the "attachment"
HTTP Content-Disposition header and can be exploited to conduct
cross-site scripting attacks.
22) The parental restrictions feature stores the restrictions
passcode in plaintext on disk and can be exploited to disclose the
passcode.
23) An error within UIKit does not properly handle "tel:" URIs and
can be exploited to cause the device to hang by tricking the user
into visiting a malicious website.
24) Some vulnerabilities are caused due to a bundled vulnerable
version of WebKit.
For more information:
SA43519
SA43683
SA43696
SA43859
SA45097
SA45325
SA45325
SA45498
SA45498
SA46339
SA46412
25) The WiFi credentials are stored in a file readable by other
applications, which may lead to the credentials being disclosed.
Successful exploitation of vulnerabilities #6, #16 \x96 #20, and #24 may
allow execution of arbitrary code.
SOLUTION:
Apply iOS 5 Software Update.
PROVIDED AND/OR DISCOVERED BY:
1) Leszek Tasiemski, nSense.
6, 9) Reported by the vendor.
The vendor credits:
2) Rick Deacon
3) Peter Quade, qdevelop
4) Erling Ellingsen, Facebook.
7) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
8) Bob Sielken, IBM
14) Wouter van der Veer, Topicus and Josh Enders
15) Thomas Clement, Intego
17) Tobias Klein via iDefense.
18) Tobias Klein, www.trapkit.de
21) Christian Matthies via iDefense and Yoshinori Oota, Business
Architects via JP/CERT.
22) An anonymous person
23) Simon Young, Anglia Ruskin University
25) Laurent OUDOT, TEHTRI Security
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4999
nSense:
http://www.nsense.fi/advisories/nsense_2011_006.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201110-0294 | CVE-2011-3429 | Apple iOS Vulnerability in obtaining important information in the configuration component |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
The Settings component in Apple iOS before 5 stores a cleartext parental-restrictions passcode in an unspecified file, which might allow physically proximate attackers to obtain sensitive information by reading this file. Apple iOS is prone to an information-disclosure vulnerability.
A local attacker can exploit this issue to retrieve the passcode which protects parental restrictions. Information obtained may aid in further attacks.
The following Apple systems are vulnerable:
iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
NOTE: This issue was previously discussed in BID 50086 (Apple iPhone/iPad/iPod touch Prior to iOS 5 Multiple Vulnerabilities) but has been given its own record to better document it. The Settings component in versions prior to Apple iOS 5 has a trust management vulnerability. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA46377
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46377/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
RELEASE DATE:
2011-10-14
DISCUSS ADVISORY:
http://secunia.com/advisories/46377/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46377/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people with physical access to disclose
certain information and by malicious people to conduct script
insertion, cross-site scripting, and spoofing attacks, disclose
sensitive information, bypass certain security restrictions, cause a
DoS (Denial of Service), and compromise a user's device.
1) An error within the CalDAV component does not properly validate
the SSL certificate when synchronizing the calendar, which can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
2) Input passed via invitation notes is not properly sanitised in
Calendar before being returned to the user. This can be exploited to
insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious invitation is being viewed.
3) The CFNetwork component stores a user's AppleID password and
username in the log file readable by applications, which can be
exploited to disclose the credentials.
4) The CFNetwork component does not properly restrict cross-domain
access of HTTP cookies, which can be exploited to access the cookies
of another web site.
5) An error exists within CoreFoundation when handling string
tokenization.
For more information see vulnerability #1 in:
SA46339
6) Multiple errors within CoreGraphics when handling the certain
freetype fonts can be exploited to corrupt memory.
7) An error within CoreMedia does not properly handle cross-site
redirects and can be exploited to disclose video data.
8) An error exits within the Data Access component when handling
multiple accounts configured on the same server and can be exploited
to disclose the cookie of another account.
9) The application accepts X.509 certificates with MD5 hashes, which
could lead to weak cryptographic certificates being used. This can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
10) A design error exists within the implementation of SSL 3.0 and
TLS 1.0 protocols.
For more information:
SA46168
11) An error within ImageIO when handling CCITT Group 4 encoded TIFF
files can be exploited to cause a buffer overflow.
For more information see vulnerability #1 in:
SA43593
12) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
For more information see vulnerability #9 in:
SA45325
13) An error within ICU (International Components for Unicode) can be
exploited to cause a buffer overflow.
For more information see vulnerability #11 in:
SA45054
14) An error within the kernel does not reclaim memory from
incomplete TCP connections, which can be exploited to exhaust system
resources by connecting to a listening service and cause the device
to reset.
15) A NULL-pointer dereference error within the kernel when handling
IPv6 socket options can be exploited to cause the device to reset.
16) An error within libxml can be exploited to cause a heap-based
buffer overflow.
For more information see vulnerability #12 in:
SA45325
17) An error within OfficeImport when viewing certain Microsoft Word
files can be exploited to cause a buffer overflow.
18) An error within OfficeImport when viewing certain Microsoft Excel
files can be exploited to cause a buffer overflow.
19) An indexing error exists in the OfficeImport framework when
processing certain records in a Microsoft Word file.
For more information see vulnerability #19 in:
SA45054
20) An error in the OfficeImport framework when processing records
can be exploited to corrupt memory.
For more information see vulnerability #28 in:
SA43814
21) An error within Safari does not properly handle the "attachment"
HTTP Content-Disposition header and can be exploited to conduct
cross-site scripting attacks.
23) An error within UIKit does not properly handle "tel:" URIs and
can be exploited to cause the device to hang by tricking the user
into visiting a malicious website.
24) Some vulnerabilities are caused due to a bundled vulnerable
version of WebKit.
For more information:
SA43519
SA43683
SA43696
SA43859
SA45097
SA45325
SA45325
SA45498
SA45498
SA46339
SA46412
25) The WiFi credentials are stored in a file readable by other
applications, which may lead to the credentials being disclosed.
Successful exploitation of vulnerabilities #6, #16 \x96 #20, and #24 may
allow execution of arbitrary code.
SOLUTION:
Apply iOS 5 Software Update.
PROVIDED AND/OR DISCOVERED BY:
1) Leszek Tasiemski, nSense.
6, 9) Reported by the vendor.
The vendor credits:
2) Rick Deacon
3) Peter Quade, qdevelop
4) Erling Ellingsen, Facebook.
7) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
8) Bob Sielken, IBM
14) Wouter van der Veer, Topicus and Josh Enders
15) Thomas Clement, Intego
17) Tobias Klein via iDefense.
18) Tobias Klein, www.trapkit.de
21) Christian Matthies via iDefense and Yoshinori Oota, Business
Architects via JP/CERT.
22) An anonymous person
23) Simon Young, Anglia Ruskin University
25) Laurent OUDOT, TEHTRI Security
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4999
nSense:
http://www.nsense.fi/advisories/nsense_2011_006.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201110-0330 | CVE-2011-3246 | Apple iOS and Mac OS X of CFNetwork Vulnerability in which important information is obtained |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
CFNetwork in Apple iOS before 5.0.1 and Mac OS X 10.7 before 10.7.2 does not properly parse URLs, which allows remote attackers to trigger visits to unintended web sites, and transmission of cookies to unintended web sites, via a crafted (1) http or (2) https URL. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2011-006.
The update addresses new vulnerabilities that affect Application Firewall, ATS, CFNetwork, CoreMedia, CoreProcesses, CoreStorage, File Systems, IOGraphics, Kernel, MediaKit, Open Directory, QuickTime, SMB File Server, User Documentation, and libsecurity.
These issues affect OS X prior to 10.7.2.
An attacker can exploit this issue to obtain sensitive information related to an arbitrary domain by enticing a victim to visit a maliciously crafted website. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA46377
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46377/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
RELEASE DATE:
2011-10-14
DISCUSS ADVISORY:
http://secunia.com/advisories/46377/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46377/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people with physical access to disclose
certain information and by malicious people to conduct script
insertion, cross-site scripting, and spoofing attacks, disclose
sensitive information, bypass certain security restrictions, cause a
DoS (Denial of Service), and compromise a user's device.
1) An error within the CalDAV component does not properly validate
the SSL certificate when synchronizing the calendar, which can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
2) Input passed via invitation notes is not properly sanitised in
Calendar before being returned to the user. This can be exploited to
insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious invitation is being viewed.
3) The CFNetwork component stores a user's AppleID password and
username in the log file readable by applications, which can be
exploited to disclose the credentials.
4) The CFNetwork component does not properly restrict cross-domain
access of HTTP cookies, which can be exploited to access the cookies
of another web site.
5) An error exists within CoreFoundation when handling string
tokenization.
For more information see vulnerability #1 in:
SA46339
6) Multiple errors within CoreGraphics when handling the certain
freetype fonts can be exploited to corrupt memory.
7) An error within CoreMedia does not properly handle cross-site
redirects and can be exploited to disclose video data.
8) An error exits within the Data Access component when handling
multiple accounts configured on the same server and can be exploited
to disclose the cookie of another account.
9) The application accepts X.509 certificates with MD5 hashes, which
could lead to weak cryptographic certificates being used. This can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
10) A design error exists within the implementation of SSL 3.0 and
TLS 1.0 protocols.
For more information:
SA46168
11) An error within ImageIO when handling CCITT Group 4 encoded TIFF
files can be exploited to cause a buffer overflow.
For more information see vulnerability #1 in:
SA43593
12) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
For more information see vulnerability #9 in:
SA45325
13) An error within ICU (International Components for Unicode) can be
exploited to cause a buffer overflow.
For more information see vulnerability #11 in:
SA45054
14) An error within the kernel does not reclaim memory from
incomplete TCP connections, which can be exploited to exhaust system
resources by connecting to a listening service and cause the device
to reset.
15) A NULL-pointer dereference error within the kernel when handling
IPv6 socket options can be exploited to cause the device to reset.
16) An error within libxml can be exploited to cause a heap-based
buffer overflow.
For more information see vulnerability #12 in:
SA45325
17) An error within OfficeImport when viewing certain Microsoft Word
files can be exploited to cause a buffer overflow.
18) An error within OfficeImport when viewing certain Microsoft Excel
files can be exploited to cause a buffer overflow.
19) An indexing error exists in the OfficeImport framework when
processing certain records in a Microsoft Word file.
For more information see vulnerability #19 in:
SA45054
20) An error in the OfficeImport framework when processing records
can be exploited to corrupt memory.
For more information see vulnerability #28 in:
SA43814
21) An error within Safari does not properly handle the "attachment"
HTTP Content-Disposition header and can be exploited to conduct
cross-site scripting attacks.
22) The parental restrictions feature stores the restrictions
passcode in plaintext on disk and can be exploited to disclose the
passcode.
23) An error within UIKit does not properly handle "tel:" URIs and
can be exploited to cause the device to hang by tricking the user
into visiting a malicious website.
24) Some vulnerabilities are caused due to a bundled vulnerable
version of WebKit.
For more information:
SA43519
SA43683
SA43696
SA43859
SA45097
SA45325
SA45325
SA45498
SA45498
SA46339
SA46412
25) The WiFi credentials are stored in a file readable by other
applications, which may lead to the credentials being disclosed.
Successful exploitation of vulnerabilities #6, #16 \x96 #20, and #24 may
allow execution of arbitrary code.
SOLUTION:
Apply iOS 5 Software Update.
PROVIDED AND/OR DISCOVERED BY:
1) Leszek Tasiemski, nSense.
6, 9) Reported by the vendor.
The vendor credits:
2) Rick Deacon
3) Peter Quade, qdevelop
4) Erling Ellingsen, Facebook.
7) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
8) Bob Sielken, IBM
14) Wouter van der Veer, Topicus and Josh Enders
15) Thomas Clement, Intego
17) Tobias Klein via iDefense.
18) Tobias Klein, www.trapkit.de
21) Christian Matthies via iDefense and Yoshinori Oota, Business
Architects via JP/CERT.
22) An anonymous person
23) Simon Young, Anglia Ruskin University
25) Laurent OUDOT, TEHTRI Security
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4999
nSense:
http://www.nsense.fi/advisories/nsense_2011_006.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Kernel
Available for: iOS 3.0 through 5.0 for iPhone 3GS,
iPhone 4 and iPhone 4S,
iOS 3.1 through 5.0 for iPod touch (3rd generation) and later,
iOS 3.2 through 5.0 for iPad, iOS 4.3 through 5.0 for iPad 2
Impact: An application may execute unsigned code
Description: A logic error existed in the mmap system call's
checking of valid flag combinations. This issue may lead to a bypass
of codesigning checks.
CVE-ID
CVE-2011-3441 : Erling Ellingsen of Facebook, Per Johansson of
Blocket AB
Passcode Lock
Available for: iOS 4.3 through 5.0 for iPad 2
Impact: A person with physical access to a locked iPad 2 may be able
to access some of the user's data
Description: When a Smart Cover is opened while iPad 2 is confirming
power off in the locked state, the iPad does not request a passcode.
This allows some access to the iPad, but data protected by Data
Protection is inaccessible and apps cannot be launched. Make sure you have an Internet connection and have
installed the latest version of iTunes from www.apple.com/itunes/
iTunes will automatically check Apple's update server on its weekly
schedule. When an update is detected, it will download it. When
the iPhone, iPod touch or iPad is docked, iTunes will present the
user with the option to install the update. We recommend applying
the update immediately if possible. Selecting Don't Install will
present the option the next time you connect your iPhone, iPod touch,
or iPad.
The automatic update process may take up to a week depending on the
day that iTunes checks for updates. You may manually obtain the
update via the Check for Updates button within iTunes. After doing
this, the update can be applied when your iPhone, iPod touch, or iPad
is docked to your computer.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update will be
"5.0.1 (9A405)". -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2012-02-01-1 OS X Lion v10.7.3 and Security Update 2012-001
OS X Lion v10.7.3 and Security Update 2012-001 is now available and
addresses the following:
Address Book
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: An attacker in a privileged network position may intercept
CardDAV data
Description: Address Book supports Secure Sockets Layer (SSL) for
accessing CardDAV. A downgrade issue caused Address Book to attempt
an unencrypted connection if an encrypted connection failed. An
attacker in a privileged network position could abuse this behavior
to intercept CardDAV data. This issue is addressed by not downgrading
to an unencrypted connection without user approval. Further information is available via the Apache web site at
http://httpd.apache.org/
CVE-ID
CVE-2011-3348
Apache
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL
3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode.
Apache disabled the 'empty fragment' countermeasure which prevented
these attacks. This issue is addressed by providing a configuration
parameter to control the countermeasure and enabling it by default.
CVE-ID
CVE-2011-3389
CFNetwork
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in CFNetwork's handling of malformed
URLs. When accessing a maliciously crafted URL, CFNetwork could send
the request to an incorrect origin server.
CVE-ID
CVE-2011-3246 : Erling Ellingsen of Facebook
CFNetwork
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in CFNetwork's handling of malformed
URLs. When accessing a maliciously crafted URL, CFNetwork could send
unexpected request headers.
CVE-ID
CVE-2011-3447 : Erling Ellingsen of Facebook
ColorSync
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted image with an embedded
ColorSync profile may lead to an unexpected application termination
or arbitrary code execution
Description: An integer overflow existed in the handling of images
with an embedded ColorSync profile, which may lead to a heap buffer
overflow.
CVE-ID
CVE-2011-0200 : binaryproof working with TippingPoint's Zero Day
Initiative
CoreAudio
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Playing maliciously crafted audio content may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of AAC
encoded audio streams.
CVE-ID
CVE-2011-3252 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative
CoreMedia
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in CoreMedia's handling
of H.264 encoded movie files.
CVE-ID
CVE-2011-3448 : Scott Stender of iSEC Partners
CoreText
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing or downloading a document containing a maliciously
crafted embedded font may lead to an unexpected application
termination or arbitrary code execution
Description: A use after free issue existed in the handling of font
files.
CVE-ID
CVE-2011-3449 : Will Dormann of the CERT/CC
CoreUI
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: Visiting a malicious website may lead to an unexpected
application termination or arbitrary code execution
Description: An unbounded stack allocation issue existed in the
handling of long URLs.
CVE-ID
CVE-2011-3450 : Ben Syverson
curl
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: A remote server may be able to impersonate clients via
GSSAPI requests
Description: When doing GSSAPI authentication, libcurl
unconditionally performs credential delegation. This issue is
addressed by disabling GSSAPI credential delegation.
CVE-ID
CVE-2011-2192
Data Security
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: An attacker with a privileged network position may intercept
user credentials or other sensitive information
Description: Two certificate authorities in the list of trusted root
certificates have independently issued intermediate certificates to
DigiCert Malaysia. DigiCert Malaysia has issued certificates with
weak keys that it is unable to revoke. An attacker with a privileged
network position could intercept user credentials or other sensitive
information intended for a site with a certificate issued by DigiCert
Malaysia. This issue is addressed by configuring default system trust
settings so that DigiCert Malaysia's certificates are not trusted. We
would like to acknowledge Bruce Morton of Entrust, Inc. for reporting
this issue.
dovecot
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL
3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode.
Dovecot disabled the 'empty fragment' countermeasure which prevented
these attacks. This issue is addressed by enabling the
countermeasure.
CVE-ID
CVE-2011-3389 : Apple
filecmds
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Decompressing a maliciously crafted compressed file may lead
to an unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the 'uncompress' command
line tool.
CVE-ID
CVE-2011-2895
ImageIO
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in ImageIO's handling of
CCITT Group 4 encoded TIFF files.
CVE-ID
CVE-2011-0241 : Cyril CATTIAUX of Tessi Technologies
ImageIO
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of
ThunderScan encoded TIFF images. This issue is address by updating
libtiff to version 3.9.5. Further information is available via the libpng website at
http://www.libpng.org/pub/png/libpng.html
CVE-ID
CVE-2011-3328
Internet Sharing
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: A Wi-Fi network created by Internet Sharing may lose
security settings after a system update
Description: After updating to a version of OS X Lion prior to
10.7.3, the Wi-Fi configuration used by Internet Sharing may revert
to factory defaults, which disables the WEP password. This issue only
affects systems with Internet Sharing enabled and sharing the
connection to Wi-Fi. This issue is addressed by preserving the Wi-Fi
configuration during a system update.
CVE-ID
CVE-2011-3452 : an anonymous researcher
Libinfo
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in Libinfo's handling of hostname
lookup requests. Libinfo could return incorrect results for a
maliciously crafted hostname.
CVE-ID
CVE-2011-3441 : Erling Ellingsen of Facebook
libresolv
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Applications that use OS X's libresolv library may be
vulnerable to an unexpected application termination or arbitrary code
execution
Description: An integer overflow existed in the parsing of DNS
resource records, which may lead to heap memory corruption.
CVE-ID
CVE-2011-3453 : Ilja van Sprundel of IOActive
libsecurity
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Some EV certificates may be trusted even if the
corresponding root has been marked as untrusted
Description: The certificate code trusted a root certificate to sign
EV certificates if it was on the list of known EV issuers, even if
the user had marked it as 'Never Trust' in Keychain. The root would
not be trusted to sign non-EV certificates.
CVE-ID
CVE-2011-3422 : Alastair Houghton
OpenGL
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Applications that use OS X's OpenGL implementation may be
vulnerable to an unexpected application termination or arbitrary code
execution
Description: Multiple memory corruption issues existed in the
handling of GLSL compilation. Further information is available via the PHP web site at
http://www.php.net
CVE-ID
CVE-2011-1148
CVE-2011-1657
CVE-2011-1938
CVE-2011-2202
CVE-2011-2483
CVE-2011-3182
CVE-2011-3189
CVE-2011-3267
CVE-2011-3268
PHP
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in FreeType's
handling of Type 1 fonts. This issue is addressed by updating
FreeType to version 2.4.7. Further information is available via the libpng website at
http://www.libpng.org/pub/png/libpng.html
CVE-ID
CVE-2011-3328
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Opening a maliciously crafted MP4 encoded file may lead to
an unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue existed in the
handling of MP4 encoded files.
CVE-ID
CVE-2011-3458 : Luigi Auriemma and pa_kt both working with
TippingPoint's Zero Day Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A signedness issue existed in the handling of font
tables embedded in QuickTime movie files.
CVE-ID
CVE-2011-3248 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An off by one buffer overflow existed in the handling
of rdrf atoms in QuickTime movie files.
CVE-ID
CVE-2011-3459 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted JPEG2000 image file may lead
to an unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of JPEG2000
files.
CVE-ID
CVE-2011-3250 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Processing a maliciously crafted PNG image may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of PNG files.
CVE-ID
CVE-2011-3460 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of FLC
encoded movie files
CVE-ID
CVE-2011-3249 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero
Day Initiative
SquirrelMail
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Multiple vulnerabilities in SquirrelMail
Description: SquirrelMail is updated to version 1.4.22 to address
several vulnerabilities, the most serious of which is a cross-site
scripting issue. Further information is available
via the Subversion web site at http://subversion.tigris.org/
CVE-ID
CVE-2011-1752
CVE-2011-1783
CVE-2011-1921
Time Machine
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: A remote attacker may access new backups created by the
user's system
Description: The user may designate a remote AFP volume or Time
Capsule to be used for Time Machine backups. Time Machine did not
verify that the same device was being used for subsequent backup
operations. An attacker who is able to spoof the remote volume could
gain access to new backups created by the user's system. This issue
is addressed by verifying the unique identifier associated with a
disk for backup operations. Tomcat is only provided on Mac OS X Server
systems. Further
information is available via the Tomcat site at
http://tomcat.apache.org/
CVE-ID
CVE-2011-2204
WebDAV Sharing
Available for: OS X Lion Server v10.7 to v10.7.2
Impact: Local users may obtain system privileges
Description: An issue existed in WebDAV Sharing's handling of user
authentication. A user with a valid account on the server or one of
its bound directories could cause the execution of arbitrary code
with system privileges.
CVE-ID
CVE-2011-3463 : Gordon Davisson of Crywolf
Webmail
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted e-mail message may lead to the
disclosure of message content
Description: A cross-site scripting vulnerability existed in the
handling of mail messages. This issue is addressed by updating
Roundcube Webmail to version 0.6. Further information is available via the
Roundcube site at http://trac.roundcube.net/
CVE-ID
CVE-2011-2937
X11
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in FreeType's
handling of Type 1 fonts. This issue is addressed by updating
FreeType to version 2.4.7. Further information is available via the
FreeType site at http://www.freetype.org/
CVE-ID
CVE-2011-3256 : Apple
OS X Lion v10.7.3 and Security Update 2012-001 may be obtained from
the Software Update pane in System Preferences, or Apple's Software
Downloads web site:
http://www.apple.com/support/downloads/
The Software Update utility will present the update that applies
to your system configuration.
For OS X Lion v10.7.2
The download file is named: MacOSXUpd10.7.3.dmg
Its SHA-1 digest is: 7102fe8f9f47286c45dfa35f6e84e7f730493a7c
For OS X Lion v10.7 and v10.7.1
The download file is named: MacOSXUpdCombo10.7.3.dmg
Its SHA-1 digest is: 07dfce300f6801eb63d9ac13e0bec84e1862a16c
For OS X Lion Server v10.7.2
The download file is named: MacOSXServerUpd10.7.3.dmg
Its SHA-1 digest is: 55a9571635d4ec088c142d68132d0d69fcb8867d
For OS X Lion Server v10.7 and v10.7.1
The download file is named: MacOSXServerUpdCombo10.7.3.dmg
Its SHA-1 digest is: 2c87824f09734499ea166ea0617a3ac21ecf832b
For Mac OS X v10.6.8
The download file is named: SecUpd2012-001Snow.dmg
Its SHA-1 digest is: 40875ee8cb609bbaefc8f421a9c34cc353db42b8
For Mac OS X Server v10.6.8
The download file is named: SecUpdSrvr2012-001.dmg
Its SHA-1 digest is: 53b3ca5548001a9920aeabed4a034c6e4657fe20
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
iQEcBAEBAgAGBQJPKYxNAAoJEGnF2JsdZQeeLiIIAMLhH2ipDFrhCsw/n4VDeF1V
P6jSkGXC9tBBVMvw1Xq4c2ok4SI34bDfMlURAVR+dde/h6nIZR24aLQVoDLjJuIp
RrO2dm1nQeozLJSx2NbxhVh54BucJdKp4xS1GkDNxkqcdh04RE9hRURXdKagnfGy
9P8QQPOQmKAiWos/LYhCPDInMfrpVNvEVwP8MCDP15g6hylN4De/Oyt7ZshPshSf
MnAFObfBTGX5KioVqTyfdlBkKUfdXHJux61QEFHn8eadX6+/6IuKbUvK9B0icc8E
pvbjOxQatFRps0KNWeIsKQc5i6iQoJhocAiIy6Y6LCuZQuSXCImY2RWXkVYzbWo=
=c1eU
-----END PGP SIGNATURE-----
| VAR-201110-0289 | CVE-2011-3427 | Apple iOS and Apple TV of Data Security Vulnerabilities that can capture important information in components |
CVSS V2: 2.6 CVSS V3: - Severity: LOW |
The Data Security component in Apple iOS before 5 and Apple TV before 4.4 does not properly restrict use of the MD5 hash algorithm within X.509 certificates, which makes it easier for man-in-the-middle attackers to spoof servers or obtain sensitive information via a crafted certificate. Apple iOS is prone to a security vulnerability that may allow attackers to conduct spoofing attacks.
Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks by impersonating trusted servers or obtain sensitive information. This will aid in further attacks. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA46377
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46377/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
RELEASE DATE:
2011-10-14
DISCUSS ADVISORY:
http://secunia.com/advisories/46377/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46377/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people with physical access to disclose
certain information and by malicious people to conduct script
insertion, cross-site scripting, and spoofing attacks, disclose
sensitive information, bypass certain security restrictions, cause a
DoS (Denial of Service), and compromise a user's device.
1) An error within the CalDAV component does not properly validate
the SSL certificate when synchronizing the calendar, which can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
2) Input passed via invitation notes is not properly sanitised in
Calendar before being returned to the user. This can be exploited to
insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious invitation is being viewed.
3) The CFNetwork component stores a user's AppleID password and
username in the log file readable by applications, which can be
exploited to disclose the credentials.
4) The CFNetwork component does not properly restrict cross-domain
access of HTTP cookies, which can be exploited to access the cookies
of another web site.
5) An error exists within CoreFoundation when handling string
tokenization.
For more information see vulnerability #1 in:
SA46339
6) Multiple errors within CoreGraphics when handling the certain
freetype fonts can be exploited to corrupt memory.
7) An error within CoreMedia does not properly handle cross-site
redirects and can be exploited to disclose video data.
8) An error exits within the Data Access component when handling
multiple accounts configured on the same server and can be exploited
to disclose the cookie of another account.
9) The application accepts X.509 certificates with MD5 hashes, which
could lead to weak cryptographic certificates being used. This can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
10) A design error exists within the implementation of SSL 3.0 and
TLS 1.0 protocols.
For more information:
SA46168
11) An error within ImageIO when handling CCITT Group 4 encoded TIFF
files can be exploited to cause a buffer overflow.
For more information see vulnerability #1 in:
SA43593
12) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
For more information see vulnerability #9 in:
SA45325
13) An error within ICU (International Components for Unicode) can be
exploited to cause a buffer overflow.
For more information see vulnerability #11 in:
SA45054
14) An error within the kernel does not reclaim memory from
incomplete TCP connections, which can be exploited to exhaust system
resources by connecting to a listening service and cause the device
to reset.
15) A NULL-pointer dereference error within the kernel when handling
IPv6 socket options can be exploited to cause the device to reset.
16) An error within libxml can be exploited to cause a heap-based
buffer overflow.
For more information see vulnerability #12 in:
SA45325
17) An error within OfficeImport when viewing certain Microsoft Word
files can be exploited to cause a buffer overflow.
18) An error within OfficeImport when viewing certain Microsoft Excel
files can be exploited to cause a buffer overflow.
19) An indexing error exists in the OfficeImport framework when
processing certain records in a Microsoft Word file.
For more information see vulnerability #19 in:
SA45054
20) An error in the OfficeImport framework when processing records
can be exploited to corrupt memory.
For more information see vulnerability #28 in:
SA43814
21) An error within Safari does not properly handle the "attachment"
HTTP Content-Disposition header and can be exploited to conduct
cross-site scripting attacks.
22) The parental restrictions feature stores the restrictions
passcode in plaintext on disk and can be exploited to disclose the
passcode.
23) An error within UIKit does not properly handle "tel:" URIs and
can be exploited to cause the device to hang by tricking the user
into visiting a malicious website.
24) Some vulnerabilities are caused due to a bundled vulnerable
version of WebKit.
For more information:
SA43519
SA43683
SA43696
SA43859
SA45097
SA45325
SA45325
SA45498
SA45498
SA46339
SA46412
25) The WiFi credentials are stored in a file readable by other
applications, which may lead to the credentials being disclosed.
Successful exploitation of vulnerabilities #6, #16 \x96 #20, and #24 may
allow execution of arbitrary code.
SOLUTION:
Apply iOS 5 Software Update.
PROVIDED AND/OR DISCOVERED BY:
1) Leszek Tasiemski, nSense.
6, 9) Reported by the vendor.
The vendor credits:
2) Rick Deacon
3) Peter Quade, qdevelop
4) Erling Ellingsen, Facebook.
7) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
8) Bob Sielken, IBM
14) Wouter van der Veer, Topicus and Josh Enders
15) Thomas Clement, Intego
17) Tobias Klein via iDefense.
18) Tobias Klein, www.trapkit.de
21) Christian Matthies via iDefense and Yoshinori Oota, Business
Architects via JP/CERT.
22) An anonymous person
23) Simon Young, Anglia Ruskin University
25) Laurent OUDOT, TEHTRI Security
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4999
nSense:
http://www.nsense.fi/advisories/nsense_2011_006.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. This issue is
addressed by removing DigiNotar from the list of trusted root
certificates, from the list of Extended Validation (EV) certificate
authorities, and by configuring default system trust settings so that
DigiNotar's certificates, including those issued by other
authorities, are not trusted. This algorithm has known cryptographic weaknesses.
Further research or a misconfigured certificate authority could have
allowed the creation of X.509 certificates with attacker controlled
values that would have been trusted by the system. This would have
exposed X.509 based protocols to spoofing, man in the middle attacks,
and information disclosure. This update disables support for an X.509
certificate with an MD5 hash for any use other than as a trusted root
certificate.
CVE-ID
CVE-2011-3427
Apple TV
Available for: Apple TV 4.0 through 4.3
Impact: An attacker could decrypt part of a SSL connection
Description: Only the SSLv3 and TLS 1.0 versions of SSL were
supported. These versions are subject to a protocol weakness when
using block ciphers. A man-in-the-middle attacker could have injected
invalid data, causing the connection to close but revealing some
information about the previous data. If the same connection was
attempted repeatedly the attacker may eventually have been able to
decrypt the data being sent, such as a password. This issue is
addressed by adding support for TLS 1.2. An attacker with the ability to connect
to a listening service on an iOS device could exhaust system
resources.
CVE-ID
CVE-2011-3259 : Wouter van der Veer of Topicus I&I, and Josh Enders
Apple TV
Available for: Apple TV 4.0 through 4.3
Impact: An attacker with a privileged network position may cause an
unexpected application termination or arbitrary code execution
Description: A one-byte heap buffer overflow existed in libxml's
handling of XML data.
CVE-ID
CVE-2011-0216 : Billy Rios of the Google Security Team
Apple TV
Available for: Apple TV 4.0 through 4.3
Impact: An attacker with a privileged network position may cause an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in JavaScriptCore.
CVE-ID
CVE-2011-3232 : Aki Helin of OUSPG
Installation note:
Apple TV will periodically check for software updates.
To check the current version of software, select
"Settings -> General -> About".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
iQEcBAEBAgAGBQJOlcwaAAoJEGnF2JsdZQeegxcIAKElICLSw74Dj2vV1uDzwh8f
6cOg/AKME1KB80rFgkHymBZM4t1mrLhwYLFs5w8oFRbbL02fxAxhw/DRWYHoqWHw
mPR7A2Alg7fwX4FAyhJ/EVb8/szUvRsS9YD2AxOZeDdQdw+40mP5rYgx+dkURuag
Rx6S5M4LaQ7A0/yfnRhUCWc6Er78LIcFxkjY4XEHwRuOR0jOnZyHSI1wx1UAvkam
HeWtRLnamHSANnZhQhrp+cesGRI5HrbbFHGJgc1nBIGZz65qgk3ZOKGh9MPBMrGm
ISg0lZHs/5gVKBFmkaMj1wyMAdsaDezWov01Bqz/UrMVuqo/7sjO4Is8x99W0EE=
=AlFT
-----END PGP SIGNATURE-----
| VAR-201110-0288 | CVE-2011-3426 | Safari for iOS vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in Safari in Apple iOS before 5 allows remote web servers to inject arbitrary web script or HTML via a file accompanied by a "Content-Disposition: attachment" HTTP header. Yoshinori Ohta of Business Architects Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.Opening a maliciously crafted file may lead to an arbitrary script being executed on the user's web browser.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of another site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
NOTE: This issue was previously discussed in BID 50086 (Apple iPhone/iPad/iPod touch Prior to iOS 5 Multiple Vulnerabilities) but has been given its own record to better document it. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA46377
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46377/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
RELEASE DATE:
2011-10-14
DISCUSS ADVISORY:
http://secunia.com/advisories/46377/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46377/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people with physical access to disclose
certain information and by malicious people to conduct script
insertion, cross-site scripting, and spoofing attacks, disclose
sensitive information, bypass certain security restrictions, cause a
DoS (Denial of Service), and compromise a user's device.
1) An error within the CalDAV component does not properly validate
the SSL certificate when synchronizing the calendar, which can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
2) Input passed via invitation notes is not properly sanitised in
Calendar before being returned to the user.
3) The CFNetwork component stores a user's AppleID password and
username in the log file readable by applications, which can be
exploited to disclose the credentials.
4) The CFNetwork component does not properly restrict cross-domain
access of HTTP cookies, which can be exploited to access the cookies
of another web site.
5) An error exists within CoreFoundation when handling string
tokenization.
For more information see vulnerability #1 in:
SA46339
6) Multiple errors within CoreGraphics when handling the certain
freetype fonts can be exploited to corrupt memory.
7) An error within CoreMedia does not properly handle cross-site
redirects and can be exploited to disclose video data.
8) An error exits within the Data Access component when handling
multiple accounts configured on the same server and can be exploited
to disclose the cookie of another account.
9) The application accepts X.509 certificates with MD5 hashes, which
could lead to weak cryptographic certificates being used. This can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
10) A design error exists within the implementation of SSL 3.0 and
TLS 1.0 protocols.
For more information:
SA46168
11) An error within ImageIO when handling CCITT Group 4 encoded TIFF
files can be exploited to cause a buffer overflow.
For more information see vulnerability #1 in:
SA43593
12) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
For more information see vulnerability #9 in:
SA45325
13) An error within ICU (International Components for Unicode) can be
exploited to cause a buffer overflow.
For more information see vulnerability #11 in:
SA45054
14) An error within the kernel does not reclaim memory from
incomplete TCP connections, which can be exploited to exhaust system
resources by connecting to a listening service and cause the device
to reset.
15) A NULL-pointer dereference error within the kernel when handling
IPv6 socket options can be exploited to cause the device to reset.
16) An error within libxml can be exploited to cause a heap-based
buffer overflow.
For more information see vulnerability #12 in:
SA45325
17) An error within OfficeImport when viewing certain Microsoft Word
files can be exploited to cause a buffer overflow.
18) An error within OfficeImport when viewing certain Microsoft Excel
files can be exploited to cause a buffer overflow.
19) An indexing error exists in the OfficeImport framework when
processing certain records in a Microsoft Word file.
For more information see vulnerability #19 in:
SA45054
20) An error in the OfficeImport framework when processing records
can be exploited to corrupt memory.
22) The parental restrictions feature stores the restrictions
passcode in plaintext on disk and can be exploited to disclose the
passcode.
23) An error within UIKit does not properly handle "tel:" URIs and
can be exploited to cause the device to hang by tricking the user
into visiting a malicious website.
24) Some vulnerabilities are caused due to a bundled vulnerable
version of WebKit.
For more information:
SA43519
SA43683
SA43696
SA43859
SA45097
SA45325
SA45325
SA45498
SA45498
SA46339
SA46412
25) The WiFi credentials are stored in a file readable by other
applications, which may lead to the credentials being disclosed.
Successful exploitation of vulnerabilities #6, #16 \x96 #20, and #24 may
allow execution of arbitrary code.
SOLUTION:
Apply iOS 5 Software Update.
PROVIDED AND/OR DISCOVERED BY:
1) Leszek Tasiemski, nSense.
6, 9) Reported by the vendor.
The vendor credits:
2) Rick Deacon
3) Peter Quade, qdevelop
4) Erling Ellingsen, Facebook.
7) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
8) Bob Sielken, IBM
14) Wouter van der Veer, Topicus and Josh Enders
15) Thomas Clement, Intego
17) Tobias Klein via iDefense.
22) An anonymous person
23) Simon Young, Anglia Ruskin University
25) Laurent OUDOT, TEHTRI Security
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4999
nSense:
http://www.nsense.fi/advisories/nsense_2011_006.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. BACKGROUND
MobileSafari is Apple's mobile we browser for iOS devices. For more
information about MobileSafari, please the visit following website:
http://www.apple.com/iphone/built-in-apps/safari.html
II. DESCRIPTION
Remote exploitation of a cross site scripting vulnerability in Apple
Inc.'s MobileSafari could allow an attacker to view sensitive
information in the context of the targeted domain.
This vulnerability occurs in MobileSafari's handling of the
Content-Disposition header, which is typically used to inform the
browser that an attachment is contained in the current response. Typical
browser behavior is to prompt the user with an Open dialog, asking them
how they would like to handle the attachment content (such as opening an
external program). However, MobileSafari does not prompt the user, and
instead opens the attached content in the browser. If an attacker can
persuade a target to open an HTML attachment (such as by attaching an
HTML file to an email), then this file will open in the context of the
domain serving the file. This allows the HTML attachment full access to
the DOM of the targeted domain, which can allow for cross site
scripting.
III. ANALYSIS
Exploitation of this vulnerability results in the disclosure of
potentially sensitive information, such as document cookies, on the
target domain. To exploit this vulnerability, a targeted user must open
an attachment from an affected domain. An attacker typically
accomplishes this via social engineering or injecting content into
compromised, trusted sites. Note that a user has to open an attachment,
which takes at least one click; however, MobileSafari does not display
an "Open" prompt dialog, so nothing beyond the initial click is
necessary.
IV. DETECTION
iOS versions prior to 5 are vulnerable.
V. WORKAROUND
iDefense is currently unaware of any workarounds for this issue.
VI. VENDOR RESPONSE
Apple has released a fix which addresses this issue. Information about
downloadable vendor updates can be found by clicking on the URLs shown.
http://lists.apple.com/archives/Security-announce/2011/Oct/msg00001.html
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2011-3426 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
03/02/2011 Initial Vendor Notification
03/02/2011 Vendor Reply
10/12/2011 Coordinated Public Disclosure
IX.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright © 2011 Verisign
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information
| VAR-201110-0208 | CVE-2011-3213 | Apple Mac OS X of File Systems In the component WebDAV Session hijacking vulnerability |
CVSS V2: 7.6 CVSS V3: - Severity: HIGH |
The File Systems component in Apple Mac OS X before 10.7.2 does not properly track the specific X.509 certificate that a user manually accepted for an initial https WebDAV connection, which allows man-in-the-middle attackers to hijack WebDAV communication by presenting an arbitrary certificate for a subsequent connection.
The update addresses new vulnerabilities that affect Application Firewall, ATS, CFNetwork, CoreMedia, CoreProcesses, CoreStorage, File Systems, IOGraphics, Kernel, MediaKit, Open Directory, QuickTime, SMB File Server, User Documentation, and libsecurity.
These issues affect OS X prior to 10.7.2. Apple Mac OS X is prone to an information-disclosure vulnerability.
A remote man-in-the-middle attacker can exploit this issue to disclose potentially sensitive information. Information obtained may aid in further attacks.
NOTE: This issue was previously discussed in BID 50085 (Apple Mac OS X Prior to 10.7.2 Multiple Security Vulnerabilities) but has been given its own record to better document it. Apple has
released updates to address these vulnerabilities.
I. Apple has released updates to address these
vulnerabilities.
II. Impact
A remote, unauthenticated attacker could execute arbitrary code,
cause a denial of service, or gain unauthorized access to your
files or system.
III. This advisory describes any known issues related to the
updates and the specific impacts for each vulnerability.
Administrators are encouraged to note these issues and impacts and
test for any potentially adverse effects before wide-scale
deployment.
IV. Please send
email to <cert@cert.org> with "TA11-286A Feedback VU#421739" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2011 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
October 13, 2011: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBTpb8zj/GkGVXE7GMAQI21Af/SHWzIangqPW9vtuG/MQWSBMy9nG4wIZS
DUEAWBEMPTKF3fLrIy6TVpRLN3q/q4dCYXzM4lec4IzKvEbV/bUyg15xEfYdxB0v
s/vARGNwf7tjSbjo+PaHLuSZ1HLn/GLO3CXaf+ut/Kb8y9Fsir5klMgrCX/N0JkY
dLoV9R6zGs1aQzmF9ULB1IQ2/lUkg6CGnyARh0prfhRFwKfu7NZXb8yz5ex68q6V
NF6j9l+XK0Cl4K7R+0ESD4e47jLCg6iN175O8VzrlxiRvBRAyTaFycdMB4uSkmii
xu8SqU2QFhsIJy8J+i1Bb6kuWkaxAnUbxO4tRrmXoqTXl9m0CtpnWA==
=3Wp2
-----END PGP SIGNATURE-----