50025 : Apple iPhone / iPod Touch Passcode Lock Emergency Call Restriction Bypass
Printer | http://osvdb.org/50025 | Email This | Edit Vulnerability

Views This Week	Views All Time	Added to OSVDB	Last Modified	Modified (since 2008)	Percent Complete
11	3269	over 3 years ago	over 3 years ago	3 times	90%

Timeline

Disclosure Date	Vendor Solution Date
2008-11-21	2008-11-21

Description

iPhoneOS contains a flaw that may allow a malicious user to bypass screen locking. The issue is triggered when Passcode Lock is enabled, but the emergency call option allows an attacker to dial any phone number. This flaw may lead to a loss of integrity.

Classification

Location: Physical Access Required
Attack Type: Other
Impact: Loss of Integrity
Solution: Upgrade
Exploit: Exploit Public
Disclosure: Vendor Verified

Solution

Upgrade to version 2.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Apple Computer, Inc.	iPhone	1.0
		1.1
		2.1

References

Security Tracker: 1021271
CVE ID: 2008-4228 (see also: NVD)
Bugtraq ID: 32394
Secunia Advisory ID: 32756
Related OSVDB ID: 50023 50024 50025 50026 50027 50028 50029 50030
VUPEN Advisory: ADV-2008-3232
Mail List Post: http://lists.apple.com/archives/security-announce/2008/Nov/msg00002.html
Vendor Specific Advisory URL: http://support.apple.com/kb/HT3318
Vendor Specific News/Changelog Entry: http://support.apple.com/kb/HT3318

Credit

Unknown or Incomplete

CVSSv2 Score

CVSSv2 Base Score = 3.6
Source: nvd.nist.gov | Generated: 2008-11-26 | Disagree?

Blogs

This product uses the Daylife API but is not endorsed or certified by Daylife.

This section lists the latest news and blogs found via the daylife API (and for older items, the technorati API), which mention or otherwise discuss this vulnerability.

2008/11/25 00:00:30 | Shields Up! Twelve Security Holes Fixed by New iPhone/iPod touch Firmware

from: The Apple News

Weldon did a phenomenal job covering the visible and functional changes in the iPhone/iPod touch 2.2 firmware release ... leaves your device and/or data vulnerable to attack. CVE-2008-4228 & CVE-2008-4229 &amp

2008/11/21 18:31:28 | iPhone software 2.2, emergency calls, and passcode security

from: Jaanus on the internet

iPhone software 2.2 was released today. I don’t yet know what other interesting features it has, but it has a bunch of security updates. And this one in particular caught my eye. Passcode Lock CVE-ID: CVE-2008-4228 Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod touch 1.1 through 2.1 Impact: Emergency calls

2008/11/21 17:03:13 | 12 Security Vulnerabilities Fixed In Apple iPhone OS 2.2 Update

from: Daily cyber threats and internet security news

12 Security Vulnerabilities Fixed In Apple iPhone OS 2.2 Update Apple has released iPhone OS 2 ... to an unexpected application termination or arbitrary code execution. CVE-2008-4228: iPhone

2008/11/21 14:59:46 | iPhone update kills 12 security bugs - ZDNet

from: IPhone news, updates and Iphone information

iPhone update kills 12 security bugs ZDNet - 2 hours ago Viewing a maliciously crafted Microsoft Excel file may lead to an unexpected application termination or arbitrary code CVE-2008-4228: iPhone provides the ... iPhone Security vs. Safari Washington Post iPod Touch 2.2 Features and Security Tweaks Disclosed Softpedia all 6 news articles

Comments

Add Comment Hide Add Comment

No Comments.

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.