IPA Information-technology Promotion Agency, Japan IPAISEC:Vulnerabilities:Security Alert for Vulnerability in iPhone OS

June 18, 2009
>>

1.Overview

The “iPhone” and ”iPod touch”,70-467, which are supplied by Apple Inc., have “iPhone OS” (iPod touch has “iPhone OS for iPod touch”) embedded as their base operating system.

“iPhone OS” contains a vulnerability which may lead “iPhone OS” to a denial-of-service (DoS) condition due to a problem in processing requests made via network. If exploited, there is a possibility that the “iPhone” or “iPod touch” may cease operations in the event an external attack is experienced.

For detailed information, refer to the URL below:

For the latest information, refer to the URL below:

The IPA first received a report concerning this vulnerability through the creditee below on December 17, 2008, and the JPCERT Coordination Center (JPCERT/CC), in line with the Information Security Early Warning Partnership, made adjustments to clarify the matter with the vendor and made the announcement public on June 18, 2009.
Credit: Masaki Yoshida


2.Impact

When an external attack is experienced, “iPhone” and “iPod touch” may cease operation. As a result, there is a possibility that the “iPhone” or “iPod touch” may fall into a condition where user operations are not accepted.

Security Alert for Vulnerability in iPhone OS


3.Solution

To fix this vulnerability, update to the fixed version supplied by the vendor.


4.CVSS Severity

(1)Evaluation Result

Severity Rating
(CVSS base score)
&#9633,070-497; Low
(0.0~3.9)
□ Medium
(4.0~6.9)
■ High
(7.0~10.0)
CVSS base score 7.8

(2) Base Score Metrics

AV:Access Vector □ Local □ Adjacent
 Network
■ Network
AC:Access Complexity □ High □ Medium ■ Low
Au:Authentication □ Multiple □ Single ■ None
C:Confidentiality Impact ■ None □ Partial □ Complete
I:Integrity Impact ■ None □ Partial □ Complete
A:Availability Impact &#9633,EX0-002; None □ Partial ■ Complete

■:Selected Values

5. Type

Contact