CVE-2015-3703

Vulnerability

A memory corruption vulnerability exists in the ImageIO framework used in Apple iOS before 8.4 and OS X before 10.10.4 [1][2]. The flaw is triggered when processing a specially crafted TIFF image file. No special configuration beyond default system settings is required; the vulnerable code path is reached by any application that decodes TIFF images via ImageIO, such as the system image viewer or web content in Safari.

Exploitation

An attacker must deliver a malicious TIFF image to the target device, typically through email, a website, or a crafted file download. No authentication is required; the target user merely needs to open or preview the image. Memory corruption occurs during parsing of the malformed TIFF data, which can be leveraged by the attacker to control execution flow.

Impact

Successful exploitation grants the attacker arbitrary code execution at the privilege level of the affected application (e.g., mobile Safari or the kernel if reachable via a system service), or a denial of service via crash. The impact is rated high because remote code execution on a user's device compromises confidentiality, integrity, and availability of local data.

Mitigation

Apple addressed this issue in iOS 8.4, released July 30, 2015 [2], and OS X Yosemite v10.10.4, released June 30, 2015 [1]. Users should update affected devices to these or later versions. No workarounds are available; disabling TIFF image processing is not practical. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.