Charlie Miller

**Name of the Vulnerable Software and Affected Versions** Apple Mac OS X versions prior to 10.6.7 Apple iOS versions prior to 4.2.7 and 4.3.x prior to 4.3.2 **Description** The issue allows remote attackers to execute arbitrary code or cause a denial of service due to memory corruption and application crash. This is achieved via a Microsoft Office document with a crafted size field in the OfficeArtMetafileHeader, related to OfficeArtBlip. The vulnerability was demonstrated on the iPhone by Charlie Miller and Dion Blazakis during a Pwn2Own competition at CanSecWest 2011. **Recommendations** For Apple Mac OS X versions prior to 10.6.7, update to version 10.6.7 or later to resolve the issue. For Apple iOS versions prior to 4.2.7, update to version 4.2.7 or later to resolve the issue. For Apple iOS versions 4.3.x prior to 4.3.2, update to version 4.3.2 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Android version 1.5 CRBxx Description: The issue allows remote attackers to cause a denial of service, resulting in application restart and network disconnection, via an SMS message containing a malformed WAP Push message. This message triggers an ArrayIndexOutOfBoundsException exception. Recommendations: For Android version 1.5 CRBxx, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Apple iPhone OS versions prior to 3.1 **Description** The issue is related to the Telephony component, which does not properly handle SMS arrival notifications. This allows remote attackers to cause a denial of service, resulting in a NULL pointer dereference and service interruption, via a crafted SMS message. **Recommendations** For versions prior to 3.1, update to version 3.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple iPhone OS versions prior to 3.0.1 **Description** The issue allows remote attackers to execute arbitrary code, obtain GPS coordinates, or enable the microphone via an SMS message that triggers memory corruption. **Recommendations** For versions prior to 3.0.1, update to version 3.0.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple QuickTime versions prior to 7.6.2 **Description** The issue is related to a heap-based buffer overflow that can be triggered by a crafted JP2 image, allowing remote attackers to execute arbitrary code or cause the application to crash. **Recommendations** For versions prior to 7.6.2, update to version 7.6.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple Mac OS X versions 10.4.11 through 10.5.6 **Description** A heap-based buffer overflow issue exists, allowing remote attackers to execute arbitrary code via a crafted Compact Font Format (CFF) font. **Recommendations** For Apple Mac OS X versions 10.4.11 through 10.5.6, update to version 10.5.7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** OpenCORE versions 2.0 and earlier **Description** The issue is related to an integer underflow in the Huffman decoding functionality, specifically in the pvmp3 huffman parsing.cpp file. This allows remote attackers to cause a denial of service, resulting in a process crash, and potentially execute arbitrary code via a crafted MP3 file that triggers heap corruption. **Recommendations** For OpenCORE versions 2.0 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Safari versions prior to 3.1.1 **Description** The issue is related to an integer overflow in the PCRE regular expression compiler, which can be exploited by remote attackers to execute arbitrary code. This is achieved through a regular expression with large, nested repetition counts, triggering a heap-based buffer overflow. **Recommendations** For versions prior to 3.1.1, update to version 3.1.1 or later to resolve the issue.