Apple closes holes in iPhone and Mac OS X

Apple has released security updates for the iPhone, Mac OS X and the beta version of Safari under Windows and Webkit under Windows and Mac OS X. Update 2007-007 closes vulnerabilities in 16 components in the Mac OS X operating system alone. In iPhone, five bugs have been eliminated by Apple. Some of these could be used by attackers to infiltrate and execute arbitrary program code.

In Mac OS X, the Java interface for CoreAudio allows attackers to release arbitrary memory, read and write to memory outside the bounds of the CoreAudio memory space and instantiate and craft objects outside their own memory spaces, permitting execution of malicious code. Opening crafted PDFs can also have similar effects due to an integer overflow in the PDFKit during processing. Manipulated Quartz Composer files can also infiltrate arbitrary code. In iChat and in mDNSresponder, Apple has already closed vulnerabilities with security update 2007-005 associated with the processing of crafted UPnP IGD packets, which are used to set up port forwarding on NAT routers. However, the patch has apparently not closed the hole properly because Apple has included a new patch for the two programs in the current update.

Bzgrep and zgrep, which are included in the bzip2 or gnuzip packages, don't handle special crafted filenames correctly, and this can lead to execution of infiltrated code. The update for the integrated Samba version eliminates bugs which can be exploited to run malicious code, execute shell commands or bypass quota restrictions. Other vulnerabilities affect Webkit. In the Perl Compatible Regular Expressions (PCRE) which Safari uses for its JavaScript engine, a heap overflow may be triggered leading to the execution of arbitrary code.

Apple has also improved the test for valid domain names, which should reduce the chance of users being deceived into trusting phishing URLs. Because of the support for International Domain Names (IDN), it has been possible to integrate characters which appear similar to normal character sets into a URL. The Cyrillic 'a' looks identical to the West European 'a' but of course is a completely different unicode entity. However, if currently recommended standards had been adopted more generally, this problem should not have arisen. More than a year ago, UK domain name agency Nominet recommended restricting any URL to a single character set for this specific reason, but no-one seems to have paid any attention so far.

The components CFNetwork and WebCore contain bugs which can be utilised for Cross-Site-Scripting attacks. Attackers can also use prepared FTP links to execute any commands from the FTP client. Apple is also eliminating bugs in third-party, open-source software. Thus, the new versions of cscope, a source-code browser for developers, Kerberos, PHP 4 and Tomcat seal numerous security leaks in the packets.

The iPhone also gets a security update to close five holes. These all relate to the web functions in the phone. The report states that two of the holes are critical. Apple says these let in code and enable it to be executed. The holes in the PCRE library also affect the iPhone. In Webkit, rendering of certain frames leads to an invalid type conversion which results in memory corruption. At best, the application merely crashes. In the worst case, this causes the iPhone to be compromised. A Cross-Site-Scripting and a Cross-Site-Request vulnerability has also been eliminated which attackers could use to read out cookies, for example. Finally, the IDN support vulnerability has also been eliminated in Safari.

The updated Safari beta version also fixes vulnerabilities in the PCRE library and with the IDN display. Under Windows, the new version also closes a security hole in bookmark creation which at least causes the browser to crash and can also lead to arbitrary code being executed.

The security update from Apple for the iPhone could mean that "Web Based Attacks" will soon not only take place on Windows desktops but will also increasingly spread to Mac OS computers and mobile telephones. Although attacks on mobile phones have so far only appeared occasionally because of the heterogeneous environment presented by mobile telephones, this could all change with the iPhone – attacks which exploit the holes in the Safari web browser under Windows or Mac OS X may also succeed in many cases on the iPhone. Besides, Apple claims that it sold 270,000 iPhones on the first two days that they were on sale, making this phone an extremely attractive target for virus creators.