The security of iPhone OS 3.0

The free iPhone OS 3.0 Software Update includes new features, as well as security updates.

The security content of the update is outlined below.

CoreGraphics

A heap buffer overflow exists in the handling of color spaces within CoreGraphics. Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

Multiple memory corruption issues exist in CoreGraphics’ handling of PDF files. Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issues through improved bounds and error checking.

Multiple heap buffer overflows exist in CoreGraphics’ handling of PDF files containing JBIG2 streams. Viewing or downloading a PDF file containing a maliciously crafted JBIG2 stream may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

An integer underflow in CoreGraphics’ handling of PDF files may result in a heap buffer overflow. Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

An integer overflow in CoreGraphics’ handling of PDF files may result in a heap buffer overflow. Opening a PDF file containing a maliciously crafted JBIG2 stream may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

Multiple integer overflows exist in FreeType v2.3.8, which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issues through improved bounds checking.

Exchange

Accepting an untrusted Exchange server certificate results in storing an exception on a per-hostname basis. On the next visit to an Exchange server contained in the exception list, its certificate is accepted with no prompt and validation. This may lead to the disclosure of credentials or application data. This update addresses the issue through improved handling of untrusted certificate exceptions.

ImageIO

An uninitialized pointer issue exists in the handling of PNG images. Processing a maliciously crafted PNG image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through additional validation of PNG images.

International Components for Unicode

An implementation issue exists in ICU’s handling of certain character encodings. Using ICU to convert invalid byte sequences to Unicode may result in over-consumption, where trailing bytes are considered part of the original character. This may be leveraged by an attacker to bypass filters on websites that attempt to mitigate cross-site scripting. This update addresses the issue through improved handling of invalid byte sequences.

IPSec

Multiple memory leaks exist in the racoon daemon in ipsec-tools before 0.7.1, which may lead to a denial of service. This update addresses the issues through improved memory management.

libxml

Multiple vulnerabilities in libxml2 version 2.6.16, the most serious of which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by updating the libxml2 system library to version 2.7.3.

Mail

Mail does not provide a preference to turn off the automatic loading of remote images. Opening an HTML email containing a remote image will automatically request it. The server hosting a remote image can determine that the email was read, and the network address of the device. This update addresses the issue by adding a preference to turn off the automatic loading of remote images.

If an application causes an alert to apear while Mail’s call approval dialog is shown, the call will be placed without user interaction. This update addresses the issue by not dismissing the call approval dialog when other alerts appear.

MPEG-4 Video Codec

An input validation issue exists in the handling of MPEG-4 video files. Viewing a maliciously crafted MPEG-4 video file may lead to an unexpected device reset. This update addresses the issue through improved handling of MPEG-4 video files.

Profiles

An issue in the handling of configuration profiles may allow a weaker passcode policy to overwrite the passcode policy already set via Exchange ActiveSync. This may allow a person with physical access to the device to bypass the passcode policy set via Exchange ActiveSync. This update addresses the issue through improved handling of configuration profiles.

Safari

Clearing Safari’s history via the Settings application does not reset the search history. In this case, another person with physical access to the device may be able to view the search history. This update addresses the issue by removing the search history when Safari’s history is cleared via the Settings application.

Safari

A design issue exists in the same-origin policy mechanism used to limit interactions between websites. This policy allows websites to load pages from third-party websites into a subframe. This frame may be positioned to entice the user to click a particular element within the frame, an attack referred to as “clickjacking”. A maliciously crafted website may be able to manipulate a user into taking an unexpected action, such as initiating a purchase. This update addresses the issue through adoption of the industry-standard ‘X-Frame-Options’ extension header, that allows individual web pages to opt out of being displayed within a subframe.

Telephony

A logic issue in the handling of ICMP echo request packets may cause an assertion to be triggered. By sending a maliciously crafted ICMP echo request packet, a remote attacker may be able to cause an unexpected device reset. This update addresses the issue by removing the assertion.

WebKit

A memory corruption issue exists in WebKit’s handling of invalid color strings in Cascading Style Sheets. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved sanitization of color strings.

A memory corruption issue exists in WebKit’s handling of SVGList objects. Visiting a maliciously crafted website may lead to arbitrary code execution. This update addresses the issue through improved bounds checking.

A cross-site scripting issue exists in the separation of JavaScript contexts. A maliciously crafted web page may use an event handler to execute a script in the security context of the next web page that is loaded in its window or frame. This update addresses the issue by ensuring that event handlers are not able to directly affect an in-progress page transition.

A cross-site scripting issue exists in the separation of JavaScript contexts. By enticing a user to visit a maliciously crafted web page, the attacker may overwrite the ‘document.implementation’ of an embedded or parent document served from a different security zone. This update addresses the issue by ensuring that changes to ‘document.implementation’ do not affect other documents.

A type conversion issue exists in WebKit’s JavaScript exception handling. When an attempt is made to assign the exception to a variable that is declared as a constant, an object is cast to an invalid type, causing memory corruption. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by ensuring that assignment in a const declaration writes to the variable object.

A memory corruption issue exists in WebKit’s JavaScript garbage collector implementation. If an allocation fails, a memory write to an offset of a NULL pointer may result, leading to an unexpected application termination or arbitrary code execution. This update addresses the issue by checking for allocation failure.

Multiple issues in WebKit’s handling of javascript objects may lead to a cross-site scripting attack. This update addresses the issues through improved handling of cross-site interaction with javascript objects.

A memory corruption issue exists in WebKit’s handling of recursion in certain DOM event handlers. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved memory management.

A cross-site scripting issue in Safari allows a maliciously crafted website to alter standard JavaScript prototypes of websites served from a different domain. By enticing a user to visit a maliciously crafted web page, an attacker may be able to alter the execution of JavaScript served from other websites. This update addresses the issue through improved access controls on these prototypes.

A memory consumption issue exists in the handling of HTMLSelectElement objects. Visiting a maliciously crafted webpage containing an HTMLSelectElement with a very large length attribute may lead to an unexpected device reset. This update addresses the issue through improved handling of HTMLSelectElement objects.

A cross-site image capture issue exists in WebKit. By using a canvas with an SVG image, a maliciously crafted website may load and capture an image from another website. This update addresses the issue by restricting the reading of canvases that have images loaded from other websites.

A cross-site image capture issue exists in WebKit. By using a canvas and a redirect, a maliciously crafted website may load and capture an image from another website. This update addresses the issue through improving the handling of redirects.

An issue in WebKit allows the contents of a frame to be accessed by an HTML document after a page transition has taken place. This may allow a maliciously crafted website to perform a cross-site scripting attack. This update addresses the issue through an improved domain check.

Safari generates random numbers for JavaScript applications using a predictable algorithm. This could allow a website to track a particular Safari session without using cookies, hidden form elements, IP addresses, or other techniques. This update addresses the issue by using a better random number generator.

A CRLF injection issue exists in the handling of XMLHttpRequest headers in WebKit. This may allow a malicious website to bypass the same-origin policy by issuing an XMLHttpRequest that does not contain a Host header. XMLHttpRequests without a Host header may reach other websites on the same server, and allow attacker-supplied JavaScript to interact with those sites. This update addresses the issue through improved handling of XMLHttpRequest headers.

An uninitialized pointer issue exists in the handling of the CSS ‘attr’ function. Viewing a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through additional validation of CSS elements.

An XML External Entity issue exists in WebKit’s handling of XML. Visiting a maliciously crafted website may result in the website being able to read files from the user’s system. This update addresses the issue by not loading external entities across origins.

WebKit does not properly handle redirects when processing Extensible Stylesheet Language Transformations (XSLT). This allows a maliciously crafted website to retrieve XML content from pages on other websites, which could result in the disclosure of sensitive information. This update addresses the issue by ensuring that documents referenced in transformations are downloaded from the same domain as the transformation itself.

A use-after-free issue exists in WebKit’s handling of the JavaScript DOM. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of document elements.

An issue in WebKit’s handling of Location and History objects may result in a cross-site scripting attack when visiting a malicious website. This update addresses the issue through improved handling of Location and History objects.