CVE-2015-1093

Vulnerability

The vulnerability resides in the FontParser component of Apple iOS (prior to 8.3) and OS X (prior to 10.10.3). A memory corruption issue exists in the processing of font files, which can be triggered by a specially crafted font. The affected versions include iOS 8.0 through 8.2 and OS X Yosemite v10.10 through v10.10.2 [1][2][3].

Exploitation

An attacker can trigger the vulnerability by convincing a user to open a malicious font file, for instance, by visiting a compromised website or opening a crafted email attachment. No special network position or authentication is required beyond standard user interaction. The attack vector involves delivering a malformed font that is parsed by FontParser, leading to memory corruption.

Impact

Successful exploitation allows a remote attacker to execute arbitrary code on the target system or cause a denial of service via memory corruption. The code execution occurs in the context of the application processing the font, which could be a WebKit process or other system component. This can lead to full system compromise on both iOS and OS X devices.

Mitigation

Apple addressed the issue in iOS 8.3 (released April 8, 2015) and OS X Yosemite v10.10.3 (released April 8, 2015), as detailed in their security advisories [1][2]. The vulnerability is also fixed in Watch OS 1.0.1 [3]. Users should update to the latest available versions. No workarounds are documented; applying the security updates is the only mitigation.