CVE-2015-3724

Vulnerability

CoreGraphics in Apple iOS prior to version 8.4 contains a memory corruption vulnerability when parsing ICC profiles embedded in PDF documents. This affects iPhone 4s and later, iPod touch (5th generation) and later, and iPad 2 and later. The issue is triggered by a specially crafted ICC profile within a PDF file, leading to memory corruption that can be exploited by attackers. [1]

Exploitation

An attacker can exploit this vulnerability by delivering a malicious PDF document containing a crafted ICC profile to a target device. The user must open the PDF file, typically via Safari, Mail, or other applications that render PDFs using CoreGraphics. No additional authentication or user interaction beyond opening the document is required for the attack to proceed. [1]

Impact

Successful exploitation results in arbitrary code execution with the privileges of the process handling the PDF, typically mobile Safari or Mail. Alternatively, an attacker could cause a denial of service (application crash) by triggering memory corruption. This could lead to full compromise of the device's data and functionality. [1]

Mitigation

Apple addressed this vulnerability in iOS 8.4, released on June 30, 2015. Users are advised to update their devices to iOS 8.4 or later to mitigate the risk. No other workarounds are documented. [1]