CVE-2009-1679

Name of the Vulnerable Software and Affected Versions: Apple iPhone OS versions 1.0 through 2.2.1 iPhone OS for iPod touch versions 1.1 through 2.2.1

Description: The Profiles component, when installing a configuration profile, can replace the password policy from Exchange ActiveSync with a weaker password policy. This allows physically proximate attackers to bypass the intended policy.

Recommendations: For Apple iPhone OS versions 1.0 through 2.2.1, consider disabling the installation of configuration profiles until a patch is available. For iPhone OS for iPod touch versions 1.1 through 2.2.1, restrict the use of Exchange ActiveSync to minimize the risk of exploitation.