Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Flaws in Apple Productivity Apps Expose Users to Attacks

Updates released last week by Apple for its productivity apps address a series of vulnerabilities that can be exploited for denial-of-service (DoS) attacks, arbitrary code execution, and user information leakage.

Updates released last week by Apple for its productivity apps address a series of vulnerabilities that can be exploited for denial-of-service (DoS) attacks, arbitrary code execution, and user information leakage.

With the release of Keynote 6.6, Pages 5.6, Numbers 3.6, and iWork for iOS 2.6, Apple resolved multiple input validation issues related to how maliciously crafted documents are parsed. The vulnerabilities were reported to the tech giant by Bruno Morisson of INTEGRITY S.A (CVE-2015-3784), and researchers Behrouz Sadeghipour and Patrik Fehrenbach (CVE-2015-7032).

Sadeghipour and Fehrenbach, who earlier this year reported finding a serious email spoofing flaw in the Google Apps Admin console, identified a vulnerability that can be exploited using a specially crafted document that contains malicious XML data.

Exploitation of the vulnerability, reported to Apple on July 23, can result in user information getting compromised via what is known as an XML External Entity (XXE) attack, Sadeghipour told SecurityWeek on Wednesday.

The researcher pointed to OWASP’s definition of such attacks, which says: “An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, port scanning from the perspective of the machine where the parser is located, and other system impacts.”

According to the expert, an attacker can exploit the vulnerability by sending a specially crafted Pages, Keynote, or Numbers file to the targeted user. Once the document is opened, the malicious XML data it contains is executed and it reaches an external XML file located on a host controlled by the attacker.

The latest versions of Apple’s productivity apps, available for OS X Yosemite v10.10.4 or later and iOS 8.4 or later, also patch a memory corruption issue (CVE-2015-7033) reported by Felix Groebert of the Google Security Team. Exploitation of the flaw using maliciously crafted documents can lead to the unexpected termination of the application opening the file, or arbitrary code execution.

Advertisement. Scroll to continue reading.

Groebert also reported a memory corruption issue related to how Pages parses maliciously crafted documents (CVE-2015-7034). This vulnerability can also result in unexpected app termination or code execution.

While Apple’s software is generally considered more secure compared to Windows and Android, reports published over the past couple of months have demonstrated that Apple users can still be at risk. Here are some examples:

Apple Working to Patch Gatekeeper Bypass Flaw

XcodeGhost Compiler Malware Targets iOS, OS X Systems

Apple Updates “Sideloading” Process in iOS 9 to Boost App Security

Apple Patches Vulnerabilities in iOS, OS X, iTunes, Xcode

Apple WatchOS 2 Patches Tens of Vulnerabilities

Apple Pulls Data Snooping Apps From App Store

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.