Apple Security Update Patches Comodo, Pwn2Own Issues
Among the patched vulnerabilities are three exploited during this year’s Pwn2Own contest at the CanSecWest Applied Security Conference, including a bug exploited by security researchers Charlie Miller and Dion Blazakis used to compromise an iPhone. In addition, Apple patched two security holes in the Webkit browser engine that were exposed at the conference as well.
The bug exploited by Miller and Blazakis is a memory corruption issue in QuickLook’s handling of Microsoft Office files, and can be leveraged by an attacker to execute code if a vulnerable user views a malicious crafted Office file.
Both of the WebKit vulnerabilities can be exploited to execute arbitrary code if a vulnerable user surfs to a malicious Web site. Of the two, one is an integer overflow that exists in the handling of nodesets. The other is a use-after-free issue in the handling of text nodes. The fixes for iOS are included in two updates: iOS 4.2.7, aimed at iOS 4.2.5 through 4.2.6 for iPhone 4 (CDMA); and iOS 4.3.2, aimed at iOS 3.0 through 4.3.1 for iPhone 3GS and later, iOS 3.1 through 4.3.1 for iPod touch (3rd generation) and later and iOS 3.2 through 4.3.1 for iPad.
Apple also issued an update to address the theft of digital certificates in the attack on a Comodo affiliate registration authority (RA), reported in March. The attack resulted in the issuance of nine SSL certificates to sites for seven domains, including www.google.com and login.skype.com.
The certificates were revoked as soon as the attack was discovered, and Apple stated in its advisory that the update blacklists the fraudulent certificates. Microsoft and Mozilla have issued updates to deal with the issue in their browsers as well.
“For iOS, this issue is addressed with iOS 4.3.2 and iOS 4.2.7,” the advisory states. “For Windows systems, Safari relies on the certificate store of the host operating system to determine if an SSL server certificate is trustworthy. Applying the update described in Microsoft Knowledge Base Article 2524375 will cause Safari to regard these certificates as untrusted.”