Apple has closed five security holes impacting the iPhone and iPod Touch that left users open to attack.
Of the five vulnerabilities fixed by the latest iPhone OS update (3.1.3), four can be exploited to execute code. Two of the vulnerabilities are buffer overflow issues. One exists in the CoreAudio component’s handling of mp4 audio files. If a user plays a malicious mp4 file, an attacker can crash the application or execute code. A buffer overflow also exists in ImageIO’s of TIFF images, and can lead to the same result.
Apple also fixed a memory corruption that exists due to the handling of “a certain USB control message.” Exploiting this could permit an attacker to bypass the pass code on the device and access user data, but it requires the attacker have physical access to the device.
The final two vulnerabilities rest in Webkit. One is caused by input validation errors in WebKit when handling FTP directory listings, which could be exploited to execute code or unexpected application termination. The other vulnerability is due to WebKit not issuing a resource load callback when it encounters an HTML 5 Media Element pointing to an external resource. As a result, this can cause undesired requests to remote servers.
“As an example, the sender of an HTML-formatted e-mail message could use this to determine that the message was read,” Apple’s advisory reads. “This issue is addressed by generating resource load callbacks when WebKit encounters an HTML 5 Media Element.”