Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Apple fixes serious flaws in the Productivity Apps

Updates released last week by Apple for Apple Productivity Apps fix a number of flaws that can be exploited for a number of attacks. Apple has recently released Keynote 6.6, Pages 5.6, Numbers 3.6, and iWork for iOS 2.6 to fix multiple flaws in the Productivity Apps, mainly related to input validation issues that caused problems […]

Apple fixes serious flaws in the Productivity Apps

Updates released last week by Apple for Apple Productivity Apps fix a number of flaws that can be exploited for a number of attacks.

Apple has recently released Keynote 6.6, Pages 5.6, Numbers 3.6, and iWork for iOS 2.6 to fix multiple flaws in the Productivity Apps, mainly related to input validation issues that caused problems while parsing maliciously crafted documents.

The vulnerabilities were reported by the researchers Bruno Morisson of INTEGRITY S.A (CVE-2015-3784), and Behrouz Sadeghipour and Patrik Fehrenbach (CVE-2015-7032).

Sadeghipour and Fehrenbach discovered a vulnerability that can be exploited by attackers using a specially crafted document that includes malicious XML data, Apple is aware of the possible exploitation of the flaw since July.

This particular attack is known as XML External Entity (XXE) attack, the attackers just need to send a specially crafted Pages, Keynote, or Numbers file to the targeted user.

Apple Productivity Apps 2

According to the expert, an attacker can exploit the vulnerability by sending a specially crafted Apple Productivity Apps file to compromise the targeted user. When the victim opens the file, it triggers the execution of malicious code included in the XML data and it reaches an external XML file located on a host controlled by the attacker.

“An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, port scanning from the perspective of the machine where the parser is located, and other system impacts.” states the OWASP organization about this specific kind of attack.

The Apple Productivity Apps were also affected by a memory corruption issue (CVE-2015-7033) reported by Felix Groebert of the Google Security Team.

An attacker can exploit the flaw using once again maliciously crafted documents that can crash applications opening them, or that can lead arbitrary code execution.

Groebert also reported a memory corruption flaw affecting the way Apple Pages parses maliciously crafted documents (CVE-2015-7034), the exploitation of the vulnerability can also result in application crashing or code execution.

Pierluigi Paganini

Security Affairs –  (Apple Productivity Apps, hacking)