[Japanese]

JVNDB-2008-000039

Safari installed in iPod touch and iPhone vulnerable in handling server certificates

Overview

Safari web browser installed in iPod touch and iPhone contains a vulnerability which allows a self-signed or invalid server certificate to be accepted without the user's explicit concent.

Safari is a web browser provided by Apple. Safari installed in iPod touch and iPhone accepts a self-signed or invalid server cerficate without the user's explicit concent when connecting via SSL/TLS.

According to Apple, "When Safari accesses a website that uses a self-signed or invalid certificate, it prompts the user to accept or reject the certificate. If the user presses the menu button while at the prompt, then on the next visit to the site, the certificate is accepted with no prompt."

Hiromitsu Takagi reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendor under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


Apple Inc.
  • iPhone v1.0 to v1.1.4
  • iPod touch v1.1 to v1.1.4

Impact

This vulnerability could be exploited to conduct a man-in-the-middle attack. As a result, this may lead to the disclosure of sensitive information.
Solution

[Update the Software]
Apply the latest updates provided by the vendor.
For more information, refer to the vendor's website.
Vendor Information

Apple Inc.
CWE (What is CWE?)

  1. Improper Input Validation(CWE-20) [NVD Evaluation]
CVE (What is CVE?)

  1. CVE-2008-1589
References

  1. JVN : JVN#88676089
  2. National Vulnerability Database (NVD) : CVE-2008-1589
Revision History

  • [2008/07/16]
      Web page published