CVE-2015-3776

Vulnerability

A vulnerability exists in Apple's IOKit framework on iOS before 8.4.1 and OS X before 10.10.5. The issue is triggered when IOKit processes a malformed plist (property list), leading to memory corruption. No special configuration is required; the vulnerable code path is present in the default IOKit driver handling for both iOS and OS X [1][2].

Exploitation

An attacker can trigger the vulnerability by delivering a crafted plist to the target system. On iOS, this could be done through a malicious application or via a web page that passes the plist to IOKit through a system service. On OS X, a local attacker or a remote attacker who convinces the user to open a specially crafted file could exploit this. No authentication is required if the attack vector is a crafted file or network request that reaches IOKit. The sequence involves the attacker providing a malformed plist that is parsed by IOKit, causing a memory corruption [1][2].

Impact

Successful exploitation allows an attacker to execute arbitrary code in a privileged kernel context, gaining full control over the device. Alternatively, the attacker could cause a denial of service by triggering a system crash. The impact includes complete compromise of confidentiality, integrity, and availability at the kernel level [1][2].

Mitigation

Apple addressed the vulnerability in iOS 8.4.1, released on August 13, 2015, and in OS X Yosemite v10.10.5 and Security Update 2015-006, released on the same date. Users should update to these versions or later. No workarounds are documented; the only mitigation is installing the software updates [1][2].