Operating System:

[Apple iOS]

Published:

23 November 2010

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2010.1066
                                  iOS 4.2
                             23 November 2010

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Apple iOS 2.0 through 4.1 for iPhone 3G and later
                   Apple iOS 2.1 through 4.1 for iPod touch (2nd generation) and later
                   Apple iOS 3.2 through 3.2.2 for iPad
Publisher:         Apple
Operating System:  Apple iOS
Impact/Access:     Root Compromise                 -- Remote with User Interaction
                   Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Access Privileged Data          -- Remote with User Interaction
                   Modify Arbitrary Files          -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
                   Reduced Security                -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2010-4008 CVE-2010-3832 CVE-2010-3831
                   CVE-2010-3830 CVE-2010-3829 CVE-2010-3828
                   CVE-2010-3827 CVE-2010-3826 CVE-2010-3824
                   CVE-2010-3823 CVE-2010-3822 CVE-2010-3821
                   CVE-2010-3820 CVE-2010-3819 CVE-2010-3818
                   CVE-2010-3817 CVE-2010-3816 CVE-2010-3814
                   CVE-2010-3813 CVE-2010-3812 CVE-2010-3811
                   CVE-2010-3810 CVE-2010-3809 CVE-2010-3808
                   CVE-2010-3805 CVE-2010-3804 CVE-2010-3803
                   CVE-2010-3786 CVE-2010-3259 CVE-2010-3257
                   CVE-2010-3116 CVE-2010-3054 CVE-2010-3053
                   CVE-2010-2808 CVE-2010-2807 CVE-2010-2806
                   CVE-2010-2805 CVE-2010-2249 CVE-2010-1843
                   CVE-2010-1822 CVE-2010-1815 CVE-2010-1814
                   CVE-2010-1813 CVE-2010-1812 CVE-2010-1811
                   CVE-2010-1807 CVE-2010-1806 CVE-2010-1793
                   CVE-2010-1791 CVE-2010-1789 CVE-2010-1788
                   CVE-2010-1787 CVE-2010-1786 CVE-2010-1785
                   CVE-2010-1784 CVE-2010-1783 CVE-2010-1782
                   CVE-2010-1781 CVE-2010-1780 CVE-2010-1771
                   CVE-2010-1770 CVE-2010-1764 CVE-2010-1758
                   CVE-2010-1757 CVE-2010-1422 CVE-2010-1421
                   CVE-2010-1418 CVE-2010-1417 CVE-2010-1416
                   CVE-2010-1415 CVE-2010-1414 CVE-2010-1410
                   CVE-2010-1408 CVE-2010-1407 CVE-2010-1405
                   CVE-2010-1403 CVE-2010-1394 CVE-2010-1392
                   CVE-2010-1387 CVE-2010-1384 CVE-2010-1205
                   CVE-2010-0544 CVE-2010-0051 CVE-2010-0042
                   CVE-2009-1707  

Reference:         ASB-2010.0175
                   ESB-2010.1061
                   ESB-2010.0809
                   ESB-2010.0805
                   ESB-2010.0792
                   ESB-2010.0757
                   ESB-2010.0657
                   ESB-2010.0555
                   ESB-2010.0539
                   ESB-2010.0509
                   ESB-2010.0287
                   ASB-2010.0237.3
                   ASB-2010.0201.2
                   ASB-2010.0197.2
                   ASB-2010.0157.2
                   ESB-2010.1039.2
                   ESB-2010.0239.2

Original Bulletin: 
   http://support.apple.com/kb/HT4456

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2010-11-22-1 iOS 4.2

iOS 4.2 is now available and addresses the following:

Configuration Profiles
CVE-ID:  CVE-2010-3827
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  A user may be misled into installing a maliciously crafted
configuration profile
Description:  A signature validation issue exists in the handling of
configuration profiles. A maliciously crafted configuration profile
may appear to have a valid signature in the configuration
installation utility. This issue is addressed through improved
validation of profile signatures. Credit to Barry Simpson of Bomgar
Corporation for reporting this issue.

CoreGraphics
CVE-ID:  CVE-2010-2805, CVE-2010-2806, CVE-2010-2807, CVE-2010-2808,
CVE-2010-3053, CVE-2010-3054
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  Multiple vulnerabilities in FreeType 2.4.1
Description:  Multiple vulnerabilities exist in FreeType 2.4.1, the
most serious of which may lead to arbitrary code execution when
processing a maliciously crafted font. These issues are addressed by
updating FreeType to version 2.4.2. Further information is available
via the FreeType site at http://www.freetype.org/

FreeType
CVE-ID:  CVE-2010-3814
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  Viewing a PDF document with maliciously crafted embedded
fonts may allow arbitrary code execution
Description:  A heap buffer overflow exists in FreeType's handling of
TrueType opcodes. Viewing a PDF document with maliciously crafted
embedded fonts may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issue through
improved bounds checking.

iAd Content Display
CVE-ID:  CVE-2010-3828
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  An attacker in a privileged network position may be able to
cause a call to be initiated
Description:  A URL handling issue exists in iAd Content Display. An
iAd is requested by an application, either automatically or through
explicit user action. By injecting the contents of a requested ad
with a link containing a URL scheme used to initiate a call, an
attacker in a privileged network position may be able to cause a call
to occur. This issue is addressed by ensuring that the user is
prompted before a call is initiated from a link. Credit to Aaron
Sigel of vtty.com for reporting this issue.

ImageIO
CVE-ID:  CVE-2010-2249, CVE-2010-1205
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  Multiple vulnerabilities in libpng
Description:  libpng is updated to version 1.4.3 to address multiple
vulnerabilities, the most serious of which may lead to arbitrary code
execution. Further information is available via the libpng website at
http://www.libpng.org/pub/png/libpng.html

libxml
CVE-ID:  CVE-2010-4008
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A memory corruption issue exists in libxml's xpath
handling. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved handling of xpaths. Credit to Bui
Quang Minh from Bkis (www.bkis.com) for reporting this issue.

Mail
CVE-ID:  CVE-2010-3829
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  Mail may resolve DNS names when remote image loading is
disabled
Description:  When WebKit encounters an HTML Link Element that
requests DNS prefetching, it will perform the prefetch even if remote
image loading is disabled. This may result in undesired requests to
remote servers. The sender of an HTML-formatted email message could
use this to determine whether the message was viewed. This issue is
addressed by disabling DNS prefetching when remote image loading is
disabled. Credit to Mike Cardwell of Cardwell IT Ltd. for reporting
this issue.

Networking
CVE-ID:  CVE-2010-1843
Available for:  iOS 4.0 through 4.1 for iPhone 3GS and later,
iOS 4.0 through 4.1 for iPod touch (3rd generation),
iOS 3.2 through 3.2.2 for iPad
Impact:  A remote attacker may cause an unexpected system shutdown
Description:  A null pointer dereference issue exists in the handling
of Protocol Independent Multicast (PIM) packets. By sending a
maliciously crafted PIM packet, a remote attacker may cause an
unexpected system shutdown. This issue is addressed through improved
validation of PIM packets. Credit to an anonymous researcher working
with TippingPoint's Zero Day Initiative for reporting this issue.
This issue does not affect devices running iOS versions prior to 3.2.

Networking
CVE-ID:  CVE-2010-3830
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  Malicious code may gain system privileges
Description:  An invalid pointer reference exists in Networking when
handling packet filter rules. This may allow malicious code running
in the user's session to gain system privileges. This issue is
addressed through improved handling of packet filter rules.

OfficeImport
CVE-ID:  CVE-2010-3786
Available for:  iOS 3.2 through 3.2.2 for iPad
Impact:  Viewing a maliciously crafted Excel file may lead to an
unexpected application termination or arbitrary code execution
Description:  A memory corruption issue exists in OfficeImport's
handling of Excel files. Viewing a maliciously crafted Excel file may
lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved bounds checking.
This issue was addressed on iPhones in iOS 4. Credit to Tobias Klein,
working with VeriSign iDefense Labs for reporting this issue.

Photos
CVE-ID:  CVE-2010-3831
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  "Send to MobileMe" may result in the disclosure of the
MobileMe account password
Description:  The Photos application allows users to share their
pictures and movies through various means. One way is the "Send to
MobileMe" button, which uploads the selected contents to the user's
MobileMe Gallery. The Photos application will use HTTP Basic
authentication if no other authentication mechanism is presented as
available by the server. An attacker with a privileged network
position may manipulate the response of the MobileMe Gallery to
request basic authentication, resulting in the disclosure of the
MobileMe account password. This issue is addressed by disabling
support for Basic authentication. Credit to Credit to Aaron Sigel of
vtty.com for reporting this issue.

Safari
CVE-ID:  CVE-2009-1707
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  "Reset Safari" may not immediately remove website passwords
from memory
Description:  After clicking the "Reset" button for "Reset saved
names and passwords" in the "Reset Safari..." menu option, Safari may
take up to 30 seconds to clear the passwords. A user with access to
the device in that time window may be able to access the stored
credentials. This issue is addressed by resolving the race condition
that led to the delay. Credit to Philippe Couturier of izypage.com,
and Andrew Wellington of The Australian National University for
reporting this issue.

Telephony
CVE-ID:  CVE-2010-3832
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  A remote attacker may be able to cause arbitrary code
execution
Description:  A heap buffer overflow exists in the handling of
Temporary Mobile Subscriber Identity (TMSI) fields in GSM mobility
management. This may allow a remote attacker to cause arbitrary code
execution on the baseband processor. This issue is addressed through
improved bounds checking. Credit to Ralf-Philipp Weinmann of the
University of Luxembourg for reporting this issue.

WebKit
CVE-ID:  CVE-2010-3803
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  An integer overflow exists in WebKit's handling of
strings. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved bounds checking. Credit to J23
for reporting this issue.

WebKit
CVE-ID:  CVE-2010-3824
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A use after free issue exists in WebKit's handling
"use" elements in SVG documents. Visiting a maliciously crafted
website may lead to an unexpected application termination or
arbitrary code execution. This issue is addressed through improved
memory handling. Credit to wushi of team509 for reporting this issue.

WebKit
CVE-ID:  CVE-2010-3816
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A use after free issue exists in WebKit's handling of
scrollbars. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved memory handling. Credit to Rohit
Makasana of Google Inc. for reporting this issue.

WebKit
CVE-ID:  CVE-2010-3809
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  An invalid cast issue exists in WebKit's handling of
inline styling. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved handling of inline styling.
Credit to Abhishek Arya (Inferno) of Google Chrome Security Team for
reporting this issue.

WebKit
CVE-ID:  CVE-2010-3810
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  A maliciously crafted website may be able to spoof the
address in the location bar or add arbitrary locations to the history
Description:  A cross-origin issue exists in WebKit's handling of the
History object. A maliciously crafted website may be able to spoof
the address in the location bar or add arbitrary locations to the
history. This issue is addressed through improved tracking of
security origins. Credit to Mike Taylor of Opera Software for
reporting this issue.

WebKit
CVE-ID:  CVE-2010-3805
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  An integer underflow exists in WebKit's handling of
WebSockets. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved bounds checking. Credit to Keith
Campbell, and Cris Neckar of Google Chrome Security Team for
reporting this issue.

WebKit
CVE-ID:  CVE-2010-3823
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A use after free issue exists in WebKit's handling of
Geolocation objects. Visiting a maliciously crafted website may lead
to an unexpected application termination or arbitrary code execution.
This issue is addressed through improved memory handling. Credit to
kuzzcc for reporting this issue.

WebKit
CVE-ID:  CVE-2010-3116
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  Multiple use after free issues exist in WebKit's
handling of plug-ins. Visiting a maliciously crafted website may lead
to an unexpected application termination or arbitrary code execution.
These issues are addressed through improved memory handling.

WebKit
CVE-ID:  CVE-2010-3812
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  An integer overflow exists in WebKit's handling of Text
objects. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved bounds checking. Credit to J23
working with TippingPoint's Zero Day Initiative for reporting this
issue.

WebKit
CVE-ID:  CVE-2010-3808
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  An invalid cast issue exists in WebKit's handling of
editing commands. Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution.
This issue is addressed through improved handling of editing
commands. Credit to wushi of team509 for reporting this issue.

WebKit
CVE-ID:  CVE-2010-3259
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  Visiting a malicious website may lead to the disclosure of
image data from another website
Description:  A cross-origin issue exists in WebKit's handling of
images created from "canvas" elements. Visiting a malicious website
may lead to the disclosure of image data from another website. This
issue is addressed through improved tracking of security origins.
Credit to Isaac Dawson, and James Qiu of Microsoft and Microsoft
Vulnerability Research (MSVR) for reporting this issue.

WebKit
CVE-ID:  CVE-2010-1822
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  An invalid cast issue exists in WebKit's handling of
SVG elements in non-SVG documents. Visiting a maliciously crafted
website may lead to an unexpected application termination or
arbitrary code execution. This issue is addressed through improved
handling of SVG elements. Credit to wushi of team509 for reporting
this issue.

WebKit
CVE-ID:  CVE-2010-3811
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A use after free issue exists in WebKit's handling of
element attributes. Visiting a maliciously crafted website may lead
to an unexpected application termination or arbitrary code execution.
This issue is addressed through improved memory handling. Credit to
Michal Zalewski for reporting this issue.

WebKit
CVE-ID:  CVE-2010-3817
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  An invalid cast issue exists in WebKit's handling of
CSS 3D transforms. Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution.
This issue is addressed through improved handling of CSS 3D
transforms. Credit to Abhishek Arya (Inferno) of Google Chrome
Security Team for reporting this issue.

WebKit
CVE-ID:  CVE-2010-3818
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A use after free issue exists in WebKit's handling of
inline text boxes. Visiting a maliciously crafted website may lead to
an unexpected application termination or arbitrary code execution.
This issue is addressed through improved memory handling. Credit to
Abhishek Arya (Inferno) of Google Chrome Security Team for reporting
this issue.

WebKit
CVE-ID:  CVE-2010-3819
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  An invalid cast issue exists in WebKit's handling of
CSS boxes. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved handling of CSS boxes. Credit to
Abhishek Arya (Inferno) of Google Chrome Security Team for reporting
this issue.

WebKit
CVE-ID:  CVE-2010-3820
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  An uninitialized memory access issue exists in WebKit's
handling of editable elements. Visiting a maliciously crafted website
may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved handling of
editable elements. Credit: Apple.

WebKit
CVE-ID:  CVE-2010-1789
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A heap buffer overflow exists in WebKit's handling of
JavaScript string objects. Visiting a maliciously crafted website may
lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved bounds checking.
Credit: Apple.

WebKit
CVE-ID:  CVE-2010-1806
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A use after free issue exists in WebKit's handling of
elements with run-in styling. Visiting a maliciously crafted website
may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved handling of
object pointers. Credit to wushi of team509, working with
TippingPoint's Zero Day Initiative for reporting this issue.

WebKit
CVE-ID:  CVE-2010-3257
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A use after free issue exists in WebKit's handling of
element focus. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved memory management. Credit to
VUPEN Vulnerability Research Team for reporting this issue.

WebKit
CVE-ID:  CVE-2010-3826
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  An invalid cast issue exists in WebKit's handling of
colors in SVG documents. Visiting a maliciously crafted website may
lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved handling of
colors in SVG documents. Credit to Abhishek Arya (Inferno) of Google
Chrome Security Team for reporting this issue.

WebKit
CVE-ID:  CVE-2010-1807
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  An input validation issue exists in WebKit's handling
of floating point data types. Visiting a maliciously crafted website
may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved handling of
floating point values. Credit to Luke Wagner of Mozilla for reporting
this issue.

WebKit
CVE-ID:  CVE-2010-3821
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A memory corruption issue exists in WebKit's handling
of the ':first-letter' pseudo-element in cascading stylesheets.
Visiting a maliciously crafted website may lead to an unexpected
application termination or arbitrary code execution. This issue is
addressed through improved handling of the ':first-letter' pseudo-
element. Credit to Cris Neckar and Abhishek Arya (Inferno) of Google
Chrome Security Team for reporting this issue.

WebKit
CVE-ID:  CVE-2010-3804
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  Websites may surreptitiously track users
Description:  Safari generates random numbers for JavaScript
applications using a predictable algorithm. This may allow a website
to track a particular Safari session without using cookies, hidden
form elements, IP addresses, or other techniques. This update
addresses the issue by using a stronger random number generator.
Credit to Amit Klein of Trusteer for reporting this issue.

WebKit
CVE-ID:  CVE-2010-3813
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  WebKit may perform DNS prefetching even when it is disabled
Description:  When WebKit encounters an HTML Link Element that
requests DNS prefetching, it will perform the operation even if
prefetching is disabled. This may result in undesired requests to
remote servers. As an example, the sender of an HTML-formatted email
message could use this to determine that the message was read. This
issue is addressed trough improved handling of DNS prefetching
requests. Credit to Jeff Johnson of Rogue Amoeba Software for
reporting this issue.

WebKit
CVE-ID:  CVE-2010-3822
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  An uninitialized pointer issue exists in WebKit's
handling of CSS counter styles. Visiting a maliciously crafted
website may lead to an unexpected application termination or
arbitrary code execution. This issue is addressed through improved
handling of CSS counter styles. Credit to kuzzcc for reporting this
issue.

WebKit
Available for:  iOS 2.0 through 4.1 for iPhone 3G and later,
iOS 2.1 through 4.1 for iPod touch (2nd generation) and later,
iOS 3.2 through 3.2.2 for iPad
Impact:  A maliciously crafted website may be able to determine which
sites a user has visited
Description:  A design issue exists in WebKit's handling of the CSS
:visited pseudo-class. A maliciously crafted website may be able to
determine which sites a user has visited. This update limits the
ability of web pages to style pages based on whether links are
visited.

Multiple components
CVE-ID:  CVE-2010-0051, CVE-2010-0544, CVE-2010-0042, CVE-2010-1384,
CVE-2010-1387, CVE-2010-1392, CVE-2010-1394, CVE-2010-1403,
CVE-2010-1405, CVE-2010-1407, CVE-2010-1408, CVE-2010-1410,
CVE-2010-1414, CVE-2010-1415, CVE-2010-1416, CVE-2010-1417,
CVE-2010-1418, CVE-2010-1421, CVE-2010-1422, CVE-2010-1757,
CVE-2010-1758, CVE-2010-1764, CVE-2010-1770, CVE-2010-1771,
CVE-2010-1780, CVE-2010-1781, CVE-2010-1782, CVE-2010-1783,
CVE-2010-1784, CVE-2010-1785, CVE-2010-1786, CVE-2010-1787,
CVE-2010-1788, CVE-2010-1791, CVE-2010-1793, CVE-2010-1811,
CVE-2010-1812, CVE-2010-1813, CVE-2010-1814, CVE-2010-1815
Available for:  iOS 3.2 through 3.2.2 for iPad
Impact:  Multiple security fixes in iOS for iPad
Description:  This update incorporates security fixes that were
provided for iPhone and iPod touch in iOS 4 and iOS 4.1.


Installation note:

These updates are only available through iTunes, and will not appear
in your computer's Software Update application, or in the Apple
Downloads site. Make sure you have an Internet connection and have
installed the latest version of iTunes from www.apple.com/itunes/

iTunes will automatically check Apple's update server on its weekly
schedule. When an update is detected, it will download it. When
the iPhone, iPod touch or iPad is docked, iTunes will present the
user with the option to install the update. We recommend applying
the update immediately if possible. Selecting Don't Install will
present the option the next time you connect your iPhone, iPod touch,
or iPad.

The automatic update process may take up to a week depending on the
day that iTunes checks for updates. You may manually obtain the
update via the Check for Updates button within iTunes. After doing
this, the update can be applied when your iPhone, iPod touch, or iPad
is docked to your computer.

To check that the iPhone, iPod touch, or iPad has been updated:

* Navigate to Settings
* Select General
* Select About. The version after applying this update will be
"4.2.1 (8C148)" or later.

New devices with the version "4.2 (8C134)" or "4.2 (8C134b)"
already include the fixes listed in this advisory.

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/


- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)

iQEcBAEBAgAGBQJM5tVgAAoJEGnF2JsdZQee89wH/iNTePjrlX6Un2dbw102FH2I
41/m3qDsb0E2gL/M0GNt1e8Kn/v/Zo5D0WOQEteGAMCjIGGa3CtBh4H0pGC/mQxn
ookc6Q33j7qRtfQfRLhYd7LGXjtoltKKZ1qubs3lPxS/dP4/3uuBV8kgy2n1f8gy
+p/8MaNCFoaHbJVi/v0KKRTYmMcXvOEqdTw0AXxIWpEWdt3l+aXlq5WMZGvX4vow
Zvh3/Ud06IwmQ9fFmbYxCd//Sm5FNAKnEtuG0xuHo/APUAwvAcRXbdCxlvmISreb
qyzwW2HHj+Rk0mdaeV2mM7+X0Mcyn4V+okjRuk4p/YttxmtYkeGuqb0xUWHKL4E=
=SqUB
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFM6zfz/iFOrG6YcBERAgE5AKC38fGErpQ/a59tEZi5K7rg+YbDewCgiJUy
ewfEcEA5eHXuJy3S7cbKmoc=
=y1rc
-----END PGP SIGNATURE-----