Font Size Change

HOMEIT SecurityMeasures for Information Security VulnerabilitiesIPA/ISEC:Vulnerabilities:Security Alert for Vulnerability in iPhone OS

PRINT PAGE

IT Security

IPA/ISEC:Vulnerabilities:Security Alert for Vulnerability in iPhone OS

June 18, 2009
>> JAPANESE

The Information-technology Promotion Agency (IPA, Chairman Koji Nishigaki) announced a security alert on June 18, 2009 concerning security vulnerability in “iPhone OS”.
The vulnerability may cause “iPhone” and “iPod touch” to cease operations when an external attack is experienced.
To fix this vulnerability, update to the fixed version supplied by the vendor.

1.Overview

The “iPhone” and ”iPod touch”, which are supplied by Apple Inc., have “iPhone OS” (iPod touch has “iPhone OS for iPod touch”) embedded as their base operating system.

“iPhone OS” contains a vulnerability which may lead “iPhone OS” to a denial-of-service (DoS) condition due to a problem in processing requests made via network. If exploited, there is a possibility that the “iPhone” or “iPod touch” may cease operations in the event an external attack is experienced.

For detailed information, refer to the URL below:
http://support.apple.com/kb/HT3639

For the latest information, refer to the URL below:
http://jvndb.jvn.jp/jvndb/JVNDB-2009-000040

The IPA first received a report concerning this vulnerability through the creditee below on December 17, 2008, and the JPCERT Coordination Center (JPCERT/CC), in line with the Information Security Early Warning Partnership, made adjustments to clarify the matter with the vendor and made the announcement public on June 18, 2009.
Credit: Masaki Yoshida

2.Impact

When an external attack is experienced, “iPhone” and “iPod touch” may cease operation. As a result, there is a possibility that the “iPhone” or “iPod touch” may fall into a condition where user operations are not accepted.

Security Alert for Vulnerability in iPhone OS

3.Solution

To fix this vulnerability, update to the fixed version supplied by the vendor.

4.CVSS Severity

(1)Evaluation Result

Severity Rating
(CVSS base score)
□ Low
(0.0~3.9)
□ Medium
(4.0~6.9)
■ High
(7.0~10.0)
CVSS base score     7.8

(2) Base Score Metrics

AV:Access Vector □ Local □ Adjacent
 Network
■ Network
AC:Access Complexity □ High □ Medium ■ Low
Au:Authentication □ Multiple □ Single ■ None
C:Confidentiality Impact ■ None □ Partial □ Complete
I:Integrity Impact ■ None □ Partial □ Complete
A:Availability Impact □ None □ Partial ■ Complete

■:Selected Values

5.CWE Type

This vulnerability has been CWE classified as “Improper Input Validation (CWE-20)”.

Contact

IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: