CVE-2015-3794

Vulnerability

The Speech UI component in Apple OS X Yosemite versions 10.10 through 10.10.4, when speech alerts are enabled, contains a memory corruption vulnerability. A remote attacker can trigger the issue by delivering a crafted Unicode string to the system, leading to memory corruption. The vulnerability is addressed in OS X Yosemite 10.10.5 [1].

Exploitation

An attacker does not require authentication or local access. The victim must have speech alerts enabled (a system preference). The attacker can deliver the malicious Unicode string via a web page, email, or other means that causes the Speech UI to process the string. When the system attempts to handle the crafted Unicode data, a memory corruption occurs, potentially allowing code execution or causing a crash.

Impact

Successful exploitation allows a remote attacker to execute arbitrary code in the context of the Speech UI process, or cause a denial of service via application crash. The exact privilege level is not specified, but code execution could lead to further system compromise.

Mitigation

Apple released OS X Yosemite 10.10.5 on August 13, 2015, which includes a fix for this vulnerability [1]. Users should update to OS X 10.10.5 or later. No workaround is available if speech alerts are required; disabling speech alerts may reduce exposure but is not a complete mitigation.