-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2011.1032
                           iOS 5 Software Update
                              13 October 2011

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          iOS
Publisher:        Apple
Operating System: Apple iOS
Impact/Access:    Execute Arbitrary Code/Commands -- Remote with User Interaction
                  Access Privileged Data          -- Remote with User Interaction
                  Cross-site Scripting            -- Remote with User Interaction
                  Denial of Service               -- Remote with User Interaction
                  Provide Misleading Information  -- Remote with User Interaction
                  Access Confidential Data        -- Remote with User Interaction
                  Unauthorised Access             -- Remote with User Interaction
Resolution:       Patch/Upgrade
CVE Names:        CVE-2011-3434 CVE-2011-3432 CVE-2011-3431
                  CVE-2011-3430 CVE-2011-3429 CVE-2011-3427
                  CVE-2011-3426 CVE-2011-3389 CVE-2011-3261
                  CVE-2011-3260 CVE-2011-3259 CVE-2011-3257
                  CVE-2011-3256 CVE-2011-3255 CVE-2011-3254
                  CVE-2011-3253 CVE-2011-3246 CVE-2011-3245
                  CVE-2011-3244 CVE-2011-3243 CVE-2011-3237
                  CVE-2011-3236 CVE-2011-3235 CVE-2011-3234
                  CVE-2011-3232 CVE-2011-2831 CVE-2011-2827
                  CVE-2011-2823 CVE-2011-2820 CVE-2011-2819
                  CVE-2011-2818 CVE-2011-2817 CVE-2011-2816
                  CVE-2011-2814 CVE-2011-2813 CVE-2011-2809
                  CVE-2011-2805 CVE-2011-2800 CVE-2011-2799
                  CVE-2011-2797 CVE-2011-2792 CVE-2011-2790
                  CVE-2011-2788 CVE-2011-2359 CVE-2011-2356
                  CVE-2011-2354 CVE-2011-2352 CVE-2011-2351
                  CVE-2011-2341 CVE-2011-2339 CVE-2011-2338
                  CVE-2011-1797 CVE-2011-1774 CVE-2011-1462
                  CVE-2011-1457 CVE-2011-1453 CVE-2011-1451
                  CVE-2011-1449 CVE-2011-1296 CVE-2011-1295
                  CVE-2011-1293 CVE-2011-1288 CVE-2011-1204
                  CVE-2011-1203 CVE-2011-1190 CVE-2011-1188
                  CVE-2011-1132 CVE-2011-1121 CVE-2011-1117
                  CVE-2011-1115 CVE-2011-1114 CVE-2011-1109
                  CVE-2011-1107 CVE-2011-0983 CVE-2011-0981
                  CVE-2011-0259 CVE-2011-0255 CVE-2011-0254
                  CVE-2011-0242 CVE-2011-0241 CVE-2011-0238
                  CVE-2011-0235 CVE-2011-0234 CVE-2011-0233
                  CVE-2011-0232 CVE-2011-0225 CVE-2011-0222
                  CVE-2011-0221 CVE-2011-0218 CVE-2011-0216
                  CVE-2011-0208 CVE-2011-0206 CVE-2011-0192
                  CVE-2011-0187 CVE-2011-0184 CVE-2011-0166

Reference:        ASB-2011.0079
                  ASB-2011.0068
                  ASB-2011.0062
                  ASB-2011.0060
                  ASB-2011.0054
                  ASB-2011.0033
                  ASB-2011.0026
                  ASB-2011.0020
                  ESB-2011.1026
                  ESB-2011.0749
                  ESB-2011.0667
                  ESB-2011.0314
                  ESB-2011.0276
                  ASB-2011.0071.2
                  ASB-2011.0014.2

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2011-10-12-1 iOS 5 Software Update

iOS 5 Software Update is now available and addresses the following:

CalDAV
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  An attacker with a privileged network position may intercept
user credentials or other sensitive information from a CalDAV
calendar server
Description:  CalDAV did not check that the SSL certificate presented
by the server was trusted.
CVE-ID
CVE-2011-3253 : Leszek Tasiemski of nSense

Calendar
Available for:  iOS 4.2.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 4.2.0 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 4.2.0 through 4.3.5 for iPad
Impact:  Viewing a maliciously crafted calendar invitation may inject
script in the local domain
Description:  A script injection issue existed in Calendar's handling
of invitation notes. This issue is addressed through improved
escaping of special characters in invitation notes. This issues does
not affect devices prior to iOS 4.2.0.
CVE-ID
CVE-2011-3254 : Rick Deacon

CFNetwork
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  User's AppleID password may be logged to a local file
Description:  A user's AppleID password and username were logged to a
file that was readable by applications on the system. This is
resolved by no longer logging these credentials.
CVE-ID
CVE-2011-3255 : Peter Quade of qdevelop

CFNetwork
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description:  An issue existed in CFNetwork's handling of HTTP
cookies. When accessing a maliciously crafted HTTP or HTTPS URL,
CFNetwork could incorrectly send the cookies for a domain to a server
outside that domain.
CVE-ID
CVE-2011-3246 : Erling Ellingsen of Facebook

CoreFoundation
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  Viewing a maliciously crafted website or e-mail message may
lead to an unexpected application termination or arbitrary code
execution
Description:  A memory corruption issue existed in CoreFoundation's
handling of string tokenization.
CVE-ID
CVE-2011-0259 : Apple

CoreGraphics
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  Viewing a document containing a maliciously crafted font may
lead to arbitrary code execution
Description:  Multiple memory corruption existed in freetype, the
most serious of which may lead to arbitrary code execution when
processing a maliciously crafted font.
CVE-ID
CVE-2011-3256 : Apple

CoreMedia
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  Visiting a maliciously crafted website may lead to the
disclosure of video data from another site
Description:  A cross-origin issue existed in CoreMedia's handling of
cross-site redirects. This issue is addressed through improved origin
tracking.
CVE-ID
CVE-2011-0187 : Nirankush Panchbhai and Microsoft Vulnerability
Research (MSVR)

Data Access
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  An exchange mail cookie management issue could incorrectly
cause data synchronization across different accounts
Description:  When multiple mail exchange accounts are configured
which connect to the same server, a session could potentially receive
a valid cookie corresponding to a different account. This issue is
addressed by ensuring that cookies are separated across different
accounts.
CVE-ID
CVE-2011-3257 : Bob Sielken of IBM

Data Security
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  An attacker with a privileged network position may intercept
user credentials or other sensitive information
Description:  Fraudulent certificates were issued by multiple
certificate authorities operated by DigiNotar. This issue is
addressed by removing DigiNotar from the list of trusted root
certificates, from the list of Extended Validation (EV) certificate
authorities, and by configuring default system trust settings so that
DigiNotar's certificates, including those issued by other
authorities, are not trusted.

Data Security
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  Support for X.509 certificates with MD5 hashes may expose
users to spoofing and information disclosure as attacks improve
Description:  Certificates signed using the MD5 hash algorithm were
accepted by iOS. This algorithm has known cryptographic weaknesses.
Further research or a misconfigured certificate authority could have
allowed the creation of X.509 certificates with attacker controlled
values that would have been trusted by the system. This would have
exposed X.509 based protocols to spoofing, man in the middle attacks,
and information disclosure. This update disables support for an X.509
certificate with an MD5 hash for any use other than as a trusted root
certificate.
CVE-ID
CVE-2011-3427

Data Security
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  An attacker could decrypt part of a SSL connection
Description:  Only the SSLv3 and TLS 1.0 versions of SSL were
supported. These versions are subject to a protocol weakness when
using block ciphers. A man-in-the-middle attacker could have injected
invalid data, causing the connection to close but revealing some
information about the previous data. If the same connection was
attempted repeatedly the attacker may eventually have been able to
decrypt the data being sent, such as a password. This issue is
addressed by adding support for TLS 1.2.
CVE-ID
CVE-2011-3389

Home screen
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  Switching between applications may lead to the disclosure of
sensitive application information
Description:  When switching between applications with the four-
finger app switching gesture, the display could have revealed the
previous application state. This issue is addressed by ensuring that
the system properly calls the applicationWillResignActive: method
when transitioning between applications.
CVE-ID
CVE-2011-3431 : Abe White of Hedonic Software Inc.

ImageIO
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  Viewing a maliciously crafted TIFF image may result in an
unexpected application termination or arbitrary code execution
Description:  A buffer overflow existed in libTIFF's handling of
CCITT Group 4 encoded TIFF images.
CVE-ID
CVE-2011-0192 : Apple

ImageIO
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description:  A heap buffer overflow existed in ImageIO's handling of
CCITT Group 4 encoded TIFF images.
CVE-ID
CVE-2011-0241 : Cyril CATTIAUX of Tessi Technologies

International Components for Unicode
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  Applications that use ICU may be vulnerable to an unexpected
application termination or arbitrary code execution
Description:  A buffer overflow issue existed in ICU's generation of
collation keys for long strings of mostly uppercase letters.
CVE-ID
CVE-2011-0206 : David Bienvenu of Mozilla

Kernel
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  A remote attacker may cause a device reset
Description:  The kernel failed to promptly reclaim memory from
incomplete TCP connections. An attacker with the ability to connect
to a listening service on an iOS device could exhaust system
resources.
CVE-ID
CVE-2011-3259 : Wouter van der Veer of Topicus I&I, and Josh Enders

Kernel
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  A local user may be able to cause a system reset
Description:  A null dereference issue existed in the handling of
IPV6 socket options.
CVE-ID
CVE-2011-1132 : Thomas Clement of Intego

Keyboards
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  A user may be able to determine information about the last
character of a password
Description:  The keyboard used to type the last character of a
password was briefly displayed the next time the keyboard was used.
CVE-ID
CVE-2011-3245 : Paul Mousdicas

libxml
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A one-byte heap buffer overflow existed in libxml's
handling of XML data.
CVE-ID
CVE-2011-0216 : Billy Rios of the Google Security Team

OfficeImport
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  Viewing a maliciously crafted Word file may lead to an
unexpected application termination or arbitrary code execution
Description:  A buffer overflow existed in OfficeImport's handling of
Microsoft Word documents.
CVE-ID
CVE-2011-3260 : Tobias Klein working with Verisign iDefense Labs

OfficeImport
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  Viewing a maliciously crafted Excel file may lead to an
unexpected application termination or arbitrary code execution
Description:  A double free issue existed in OfficeImport's handling
of Excel files.
CVE-ID
CVE-2011-3261 : Tobias Klein of www.trapkit.de

OfficeImport
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  Downloading a maliciously crafted Microsoft Office file may
lead to an unexpected application termination or arbitrary code
execution
Description:  A memory corruption issue existed in OfficeImport's
handling of Microsoft Office files.
CVE-ID
CVE-2011-0208 : Tobias Klein working with iDefense VCP

OfficeImport
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  Downloading a maliciously crafted Excel file may lead to an
unexpected application termination or arbitrary code execution
Description:  A memory corruption issue existed in OfficeImport's
handling of Excel files.
CVE-ID
CVE-2011-0184 : Tobias Klein working with iDefense VCP

Safari
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  Opening maliciously crafted files on certain websites may
lead to a cross-site scripting attack
Description:  iOS did not support the 'attachment' value for the HTTP
Content-Disposition header. This header is used by many websites to
serve files that were uploaded to the site by a third-party, such as
attachments in web-based e-mail applications. Any script in files
served with this header value would run as if the file had been
served inline, with full access to other resources on the origin
server. This issue is addressed by loading attachments in an isolated
security origin with no access to resources on other sites.
CVE-ID
CVE-2011-3426 : Christian Matthies working with iDefense VCP,
Yoshinori Oota from Business Architects Inc working with JP/CERT

Settings
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  An attacker with physical access to a device may be able to
recover the restrictions passcode
Description:  The parental restrictions functionality enforces UI
restrictions. Configuring parental restrictions is protected by a
passcode, which was previously stored in plaintext on disk. This
issue is addressed by securely storing the parental restrictions
passcode in the system keychain.
CVE-ID
CVE-2011-3429 : an anonymous reporter

Settings
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  Misleading UI
Description:  Configurations and settings applied via configuration
profiles did not appear to function properly under any non-English
language. Settings could be improperly displayed as a result. This
issue is addressed by fixing a localization error.
CVE-ID
CVE-2011-3430 : Florian Kreitmaier of Siemens CERT

UIKit Alerts
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  Visiting a malicious website may cause an unexpected device
hang
Description:  An excessive maximum text layout length permitted
malicious websites to cause iOS to hang when drawing acceptance
dialogs for very long tel: URIs. This issue is addressed by using a
more reasonable maximum URI size.
CVE-ID
CVE-2011-3432 : Simon Young of Anglia Ruskin University

WebKit
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  Multiple memory corruption issues existed in WebKit.
CVE-ID
CVE-2011-0218 : SkyLined of Google Chrome Security Team
CVE-2011-0221 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0222 : Nikita Tarakanov and Alex Bazhanyuk of the CISS
Research Team, and Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0225 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0232 : J23 working with TippingPoint's Zero Day Initiative
CVE-2011-0233 : wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-0234 : Rob King working with TippingPoint's Zero Day
Initiative, wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-0235 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0238 : Adam Barth of Google Chrome Security Team
CVE-2011-0254 : An anonymous researcher working with TippingPoint's
Zero Day Initiative
CVE-2011-0255 : An anonymous reporter working with TippingPoint's
Zero Day Initiative
CVE-2011-0981 : Rik Cabanier of Adobe Systems, Inc
CVE-2011-0983 : Martin Barbella
CVE-2011-1109 : Sergey Glazunov
CVE-2011-1114 : Martin Barbella
CVE-2011-1115 : Martin Barbella
CVE-2011-1117 : wushi of team509
CVE-2011-1121 : miaubiz
CVE-2011-1188 : Martin Barbella
CVE-2011-1203 : Sergey Glazunov
CVE-2011-1204 : Sergey Glazunov
CVE-2011-1288 : Andreas Kling of Nokia
CVE-2011-1293 : Sergey Glazunov
CVE-2011-1296 : Sergey Glazunov
CVE-2011-1449 : Marek Majkowski
CVE-2011-1451 : Sergey Glazunov
CVE-2011-1453 : wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-1457 : John Knottenbelt of Google
CVE-2011-1462 : wushi of team509
CVE-2011-1797 : wushi of team509
CVE-2011-2338 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2339 : Cris Neckar of the Google Chrome Security Team
CVE-2011-2341 : Apple
CVE-2011-2351 : miaubiz
CVE-2011-2352 : Apple
CVE-2011-2354 : Apple
CVE-2011-2356 : Adam Barth and Abhishek Arya of Google Chrome
Security Team using AddressSanitizer
CVE-2011-2359 : miaubiz
CVE-2011-2788 : Mikolaj Malecki of Samsung
CVE-2011-2790 : miaubiz
CVE-2011-2792 : miaubiz
CVE-2011-2797 : miaubiz
CVE-2011-2799 : miaubiz
CVE-2011-2809 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-2813 : Cris Neckar of Google Chrome Security Team using
AddressSanitizer
CVE-2011-2814 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2816 : Apple
CVE-2011-2817 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2818 : Martin Barbella
CVE-2011-2820 : Raman Tenneti and Philip Rogers of Google
CVE-2011-2823 : SkyLined of Google Chrome Security Team
CVE-2011-2827 : miaubiz
CVE-2011-2831 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-3232 : Aki Helin of OUSPG
CVE-2011-3234 : miaubiz
CVE-2011-3235 : Dimitri Glazkov, Kent Tamura, Dominic Cooney of the
Chromium development community, and Abhishek Arya (Inferno) of Google
Chrome Security Team
CVE-2011-3236 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-3237 : Dimitri Glazkov, Kent Tamura, Dominic Cooney of the
Chromium development community, and Abhishek Arya (Inferno) of Google
Chrome Security Team
CVE-2011-3244 : vkouchna

WebKit
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description:  A cross-origin issue existed in the handling of URLs
with an embedded username. This issue is addressed through improved
handling of URLs with an embedded username.
CVE-ID
CVE-2011-0242 : Jobert Abma of Online24

WebKit
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description:  A cross-origin issue existed in the handling of DOM
nodes.
CVE-ID
CVE-2011-1295 : Sergey Glazunov

WebKit
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  A maliciously crafted website may be able to cause a
different URL to be shown in the address bar
Description:  A URL spoofing issue existed in the handling of the DOM
history object.
CVE-ID
CVE-2011-1107 : Jordi Chancel

WebKit
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  Visiting a maliciously crafted website may lead to arbitrary
code execution
Description:  A configuration issue existed in WebKit's use of
libxslt. Visiting a maliciously crafted website may lead to arbitrary
files being created with the privileges of the user, which may lead
to arbitrary code execution. This issue is addressed through improved
libxslt security settings.
CVE-ID
CVE-2011-1774 : Nicolas Gregoire of Agarri

WebKit
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  Visiting a malicious website and dragging content in the
page may lead to an information disclosure
Description:  A cross-origin issue existed in WebKit's handling of
HTML5 drag and drop. This issue is addressed by disallowing drag and
drop across different origins.
CVE-ID
CVE-2011-0166 : Michal Zalewski of Google Inc.

WebKit
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  Visiting a maliciously crafted website may lead to an
information disclosure
Description:  A cross-origin issue existed in the handling of Web
Workers.
CVE-ID
CVE-2011-1190 : Daniel Divricean of divricean.ro

WebKit
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description:  A cross-origin issue existed in the handling of the
window.open method.
CVE-ID
CVE-2011-2805 : Sergey Glazunov

WebKit
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description:  A cross-origin issue existed in the handling of
inactive DOM windows.
CVE-ID
CVE-2011-3243 : Sergey Glazunov

WebKit
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description:  A cross-origin issue existed in the handling of the
document.documentURI property.
CVE-ID
CVE-2011-2819 : Sergey Glazunov

WebKit
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  A maliciously crafted website may be able to track the URLs
that a user visits within a frame
Description:  A cross-origin issue existed in the handling of the
beforeload event.
CVE-ID
CVE-2011-2800 : Juho Nurminen

WiFi
Available for:  iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact:  WiFi credentials may be logged to a local file
Description:  WiFi credentials including the passphrase and
encryption keys were logged to a file that was readable by
applications on the system. This is resolved by no longer logging
these credentials.
CVE-ID
CVE-2011-3434 : Laurent OUDOT of TEHTRI Security

Installation note:

This update is only available through iTunes, and will not appear
in your computer's Software Update application, or in the Apple
Downloads site. Make sure you have an Internet connection and have
installed the latest version of iTunes from www.apple.com/itunes/

iTunes will automatically check Apple's update server on its weekly
schedule. When an update is detected, it will download it. When
the iPhone, iPod touch or iPad is docked, iTunes will present the
user with the option to install the update. We recommend applying
the update immediately if possible. Selecting Don't Install will
present the option the next time you connect your iPhone, iPod touch,
or iPad.

The automatic update process may take up to a week depending on the
day that iTunes checks for updates. You may manually obtain the
update via the Check for Updates button within iTunes. After doing
this, the update can be applied when your iPhone, iPod touch, or iPad
is docked to your computer.

To check that the iPhone, iPod touch, or iPad has been updated:

* Navigate to Settings
* Select General
* Select About. The version after applying this update will be
"5 (9A334)".

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)

iQEcBAEBAgAGBQJOldmtAAoJEGnF2JsdZQee/qMIAIPxmIiOqj+FMLFHZtPeC/Dp
3s4JliKOOgNnjXkxErfaNvYGmeVbDaUER5jdVrWccTauzlYmy8G4uK0An2GD2YiP
gB5AiCQXpONdBCi38QNdRqrYoYjc8Sa0nUp4r5uWPoiHoj5KfxvBpgygEL+zjHXS
fmnrONOCWhOYp0w4q6mdTg5BH2uJCbXscD/JjbmgHQI0Vs/iUZKSRyqFo2b0Mvze
NiSyzcj/4l62Cxx7xM9VbdrYL7Al2yyHfNYJQsZmoeDUlJQcdgEgEMXvOuhY3sFK
maxYr2oCp6Mtf53fplAeJIV4ijLynEWAKxTuTznAyW1k7oiGrDTfORSFKPEB9MQ=
=LCQZ
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTpZ0a+4yVqjM2NGpAQIdOQ//Sl/cH8wiY74ibIigQ3uCvHiurlIujmq7
bg3VqH0r8LtXQXy5Ik6eY2DdbwsMYoL9O8kMb1L+kl01BYg8BZeBmT/DrJsm6cD/
BMnraFJpmq/VuDocMV0+kYTQb6xmwXYyZVQIPWoxM+tJjxZ/Zdg3EBTB0Ry0Yd5s
kAZ1VXgkdtlbfyIW3SLSmIUPGPljl8o3qutovZT19B1sD3YQ40h+225Vl9Z9nXOc
epmxGylmRgJuLtfPQtHi6hBwwkO50tLpAzIn2suXbvtLkoFvIDmVHSvTkUFgo4HZ
By/uTMnmGz3PpoB9EvrFpMVjQZ2J/xlERd6go1OmeoU/RxVHJCZIO8acpOQSyygm
89YIZR7xwds8bA5lm3X/8o2P/VtPzuSjWFc3YhFYHNTe8Q84KxVAme5rUZLplYPk
WT5SeZ2mLlCgRZOhr4rBMLidbpQWiHkyXU4qZ4+zfdvMrJ6T4TXQ8jDubkb5bfM1
vJzulLUfExgi99zqzy9PlqU4Dw9S1aUFdNo6w2kFT9/Gv0+0iyXkcsooEUE+qjmC
1iJS0xwdO9TYQ2ymkKQCU0N3Y+4pBITd9hcenaxyFZcE0un23pcn1xW2lTENy7Ou
YS7sN+dh9ydjyODbBbYbZP4P6kPwawILqF7GlRSXuoT06llNJxjm9Wtc5H6fxcxz
XBacz6MbV5s=
=kSBE
-----END PGP SIGNATURE-----