Apple has recently released Keynote 6.6, Pages 5.6, Numbers 3.6, and iWork for iOS 2.6 to fix multiple flaws in the Productivity Apps, mainly related to input validation issues that caused problems while parsing maliciously crafted documents.
The vulnerabilities were reported by the researchers Bruno Morisson of INTEGRITY S.A (CVE-2015-3784), and Behrouz Sadeghipour and Patrik Fehrenbach (CVE-2015-7032).
Sadeghipour and Fehrenbach discovered a vulnerability that can be exploited by attackers using a specially crafted document that includes malicious XML data, Apple is aware of the possible exploitation of the flaw since July.
This particular attack is known as XML External Entity (XXE) attack, the attackers just need to send a specially crafted Pages, Keynote, or Numbers file to the targeted user.
According to the expert, an attacker can exploit the vulnerability by sending a specially crafted Apple Productivity Apps file to compromise the targeted user. When the victim opens the file, it triggers the execution of malicious code included in the XML data and it reaches an external XML file located on a host controlled by the attacker.
“An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, port scanning from the perspective of the machine where the parser is located, and other system impacts.” states the OWASP organization about this specific kind of attack.
The Apple Productivity Apps were also affected by a memory corruption issue (CVE-2015-7033) reported by Felix Groebert of the Google Security Team.
An attacker can exploit the flaw using once again maliciously crafted documents that can crash applications opening them, or that can lead arbitrary code execution.
Groebert also reported a memory corruption flaw affecting the way Apple Pages parses maliciously crafted documents (CVE-2015-7034), the exploitation of the vulnerability can also result in application crashing or code execution.
Security Affairs – (Apple Productivity Apps, hacking)