CVE-2015-3732

Vulnerability

A memory corruption vulnerability exists in WebKit, affecting Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8 [1][2]. The flaw can be triggered when a user visits a maliciously crafted website, leading to memory corruption and application crash. This is one of several WebKit CVEs addressed in the referenced Apple security updates.

Exploitation

An attacker must convince the victim to visit a specially crafted website, typically through social engineering or by compromising a legitimate site. No additional authentication or privileges are required. The attacker does not need to target a specific system state; the exploit occurs simply through rendering the malicious web content.

Impact

Successful exploitation can lead to arbitrary code execution in the context of the affected application (Safari or other iOS apps using WebKit), or cause a denial of service due to application crash. The attacker gains the ability to execute arbitrary code, which may lead to full system compromise on iOS or Mac OS X depending on the sandbox restrictions.

Mitigation

Apple released fixes in iOS 8.4.1 [1] and Safari 6.2.8, 7.1.8, and 8.0.8 [2] on August 13, 2015. Users should update their devices to these versions or later. No workarounds are available in the references. This CVE is not listed on the CISA KEV catalog as of the available data.