National Cyber Awareness System

Vulnerability Summary for CVE-2010-1754

Overview

Passcode Lock in Apple iOS before 4 on the iPhone and iPod touch does not properly handle alert-based unlocks in conjunction with subsequent Remote Lock operations through MobileMe, which allows physically proximate attackers to bypass intended passcode requirements via unspecified vectors.

Impact

CVSS Severity (version 2.0):

CVSS Version 2 Metrics:

Solution

Per: http://lists.apple.com/archives/security-announce/2010/Jun/msg00003.html 'Installation note: These updates are only available through iTunes, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes will automatically check Apple's update server on its weekly schedule. When an update is detected, it will download it. When the iPhone or iPod touch is docked, iTunes will present the user with the option to install the update. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iPhone or iPod touch. The automatic update process may take up to a week depending on the day that iTunes checks for updates. You may manually obtain the update via the Check for Updates button within iTunes. After doing this, the update can be applied when your iPhone or iPod touch is docked to your computer. To check that the iPhone or iPod touch has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "4.0 (8A293)" or later.'}

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: XF

Name: appleios-passcodelock-security-bypass(59633)

Hyperlink:http://xforce.iss.net/xforce/xfdb/59633

External Source: BID

Name: 41016

Hyperlink:http://www.securityfocus.com/bid/41016

External Source: CONFIRM

Name: http://support.apple.com/kb/HT4225

Type: Advisory

Hyperlink:http://support.apple.com/kb/HT4225

External Source: APPLE

Name: APPLE-SA-2010-06-21-1

Type: Advisory

Hyperlink:http://lists.apple.com/archives/security-announce/2010/Jun/msg00003.html