MA-193.092009: MyCERT Alert - Critical Vulnerability in iPhone and iPod Touch Operating System

1.0 Introduction

A critical vulnerability has been identified in iPhone and iPod Touch operating system. The ACTransformerCodec::AppendInputData() function of AudioCodecs library in both operating systems contain heap buffer overflow vulnerability while parsing maliciously crafted AAC or MP3 files. The vulnerability may be exploited by an attacker to execute arbitrary code in the context of an application using the vulnerable library. One attack vector is iPhone ringtones with malformed sample size table entries.

2.0 Impact

By exploiting this vulnerability, an attacker could execute arbitrary code and cause the application to crash or could potentially allow an attacker to take control of the affected system.

3.0 Affected Products

Products listed below are vulnerable to this vulnerability:

• iPhone OS version 1.0 through 3.0.1
• iPhone OS for iPod touch version 1.1 through 3.0

4.0 Recommendation

MyCERT recommends users of iPhone OS version 3.0.1 and earlier versions to upgrade to version 3.1, while users of iPhone OS for iPod touch version 3.0 and earlier to upgrade to version 3.1.1

Update can be performed with these 4 steps:

• Make sure you are using the latest version of iTunes. iTunes can be downloaded from the following URL: http://www.apple.com/itunes/download/
  
  
• Connect your iPhone or iPod Touch to your computer
  
  
• Run iTunes, select your iPhone or iPod under "Devices" in the "Source List" on the left
  
  
  
  
• Click on "Check for Update" on the summary pane
  
  
  

MyCERT advises users of this product to keep themselves updated with the latest security announcements by the vendor. In case of public received any suspicious MP3 or AAC files and required our further analysis, please reach us at information below:

E-mail : mycert@mycert.org.my
Phone : +603 89926969 or 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : +60 19 2813801 (24x7 SMS reporting)
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web : http://www.mycert.org.my

5.0 References

• http://www.trapkit.de/advisories/TKADV2009-007.txt
• http://support.apple.com/kb/HT3860
• http://www.apple.com/iphone/softwareupdate/#install