CVE-2015-3723

Vulnerability

CoreGraphics in Apple iOS before 8.4 contains a memory corruption vulnerability that can be triggered when processing a crafted ICC profile embedded in a PDF document. An attacker can achieve arbitrary code execution or denial of service by convincing a user to open a malicious PDF file on an affected device. This issue affects iPhone 4s and later, iPod touch (5th generation) and later, and iPad 2 and later running iOS versions prior to 8.4 [1].

Exploitation

The attacker must deliver a PDF document containing a specially crafted ICC profile to the target user. No additional authentication is required beyond normal user interaction—the user simply opens the PDF in an application that renders it via CoreGraphics. The memory corruption occurs during the parsing of the ICC profile data, which can lead to controlled behavior [1].

Impact

Successful exploitation allows an attacker to execute arbitrary code with the privileges of the application processing the PDF, leading to full compromise of the device's data and functionality, or cause a denial of service via application crash or device restart. This is a remote code execution vulnerability with high severity [1].

Mitigation

Apple addressed this issue in iOS 8.4, released on June 30, 2015. Users should update their devices to iOS 8.4 or later via the Software Update mechanism to remediate the vulnerability [1]. No workaround other than the update is available.