First published: Fri Jun 19 2009(Updated: )
The Profiles component in Apple iPhone OS 1.0 through 2.2.1 and iPhone OS for iPod touch 1.1 through 2.2.1, when installing a configuration profile, can replace the password policy from Exchange ActiveSync with a weaker password policy, which allows physically proximate attackers to bypass the intended policy.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
iPhone OS | =1.0.0 | |
iPhone OS | =1.0.1 | |
iPhone OS | =1.0.2 | |
iPhone OS | =1.1.0 | |
iPhone OS | =1.1.1 | |
iPhone OS | =1.1.2 | |
iPhone OS | =1.1.3 | |
iPhone OS | =1.1.4 | |
iPhone OS | =1.1.5 | |
iPhone OS | =2.0 | |
iPhone OS | =2.0.0 | |
iPhone OS | =2.0.1 | |
iPhone OS | =2.0.2 | |
iPhone OS | =2.1 | |
iPhone OS | =2.1.1 | |
iPhone OS | =2.2 | |
iPhone OS | =2.2.1 | |
iPhone OS | ||
Apple iPod touch |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2009-1679 has been assigned a medium severity rating due to the potential to weaken password policies on affected devices.
To mitigate CVE-2009-1679, ensure that your iPhone OS or iPod touch devices are updated to the latest firmware version available.
CVE-2009-1679 affects Apple iPhone OS versions from 1.0 through 2.2.1 and Apple iPod touch versions from 1.1 through 2.2.1.
Users of Apple iPhone OS and iPod touch devices who install configuration profiles are potentially at risk from CVE-2009-1679.
This vulnerability allows physically proximate attackers to bypass stronger password policies by exploiting the replacement of these policies during profile installation.