June 18, 2009
>> JAPANESE

1.Overview

The “iPhone” and ”iPod touch”, which are supplied by Apple Inc., have “iPhone OS” (iPod touch has “iPhone OS for iPod touch”) embedded as their base operating system.

“iPhone OS” contains a vulnerability which may lead “iPhone OS” to a denial-of-service (DoS) condition due to a problem in processing requests made via network. If exploited, there is a possibility that the “iPhone” or “iPod touch” may cease operations in the event an external attack is experienced.

For detailed information, refer to the URL below:
http://support.apple.com/kb/HT3639

For the latest information, refer to the URL below:
http://jvndb.jvn.jp/jvndb/JVNDB-2009-000040

The IPA first received a report concerning this vulnerability through the creditee below on December 17, 2008, and the JPCERT Coordination Center (JPCERT/CC), in line with the Information Security Early Warning Partnership, made adjustments to clarify the matter with the vendor and made the announcement public on June 18, 2009.
Credit: Masaki Yoshida

2.Impact

When an external attack is experienced, “iPhone” and “iPod touch” may cease operation. As a result, there is a possibility that the “iPhone” or “iPod touch” may fall into a condition where user operations are not accepted.

3.Solution

To fix this vulnerability, update to the fixed version supplied by the vendor.

4.CVSS Severity

(1)Evaluation Result

Severity Rating (CVSS base score)	□ Low (0.0~3.9)	□ Medium (4.0~6.9)	■ High (7.0~10.0)
CVSS base score			7.8

(2) Base Score Metrics

AV:Access Vector	□ Local	□ Adjacent 　Network	■ Network
AC:Access Complexity	□ High	□ Medium	■ Low
Au:Authentication	□ Multiple	□ Single	■ None
C:Confidentiality Impact	■ None	□ Partial	□ Complete
I:Integrity Impact	■ None	□ Partial	□ Complete
A:Availability Impact	□ None	□ Partial	■ Complete

■:Selected Values

5.CWE Type

This vulnerability has been CWE classified as “Improper Input Validation (CWE-20)”.

Contact