CVE-2015-5777

Vulnerability

CVE-2015-5777 is a memory corruption vulnerability in CoreMedia Playback, present in Apple iOS versions prior to 8.4.1 and OS X versions prior to 10.10.5. A remote attacker can exploit this issue by providing a specially crafted movie file, which when processed by the vulnerable CoreMedia component leads to memory corruption. This vulnerability is distinct from CVE-2015-5778, which affects the same component.

Exploitation

An attacker can trigger this vulnerability by delivering a maliciously crafted movie file to the target. This could be achieved through various vectors such as a website hosting the crafted file, a malicious email attachment, or any other means that causes the file to be opened or processed by CoreMedia Playback. No authentication is required, and user interaction is limited to opening the file or visiting a page that automatically loads the content.

Impact

Successful exploitation allows an attacker to execute arbitrary code on the affected system with the privileges of the current user, or cause a denial of service (application crash). This leads to full compromise of confidentiality, integrity, and availability of the user's session. The severity is rated with a CVSS base score of 6.8, reflecting the potential for code execution with minimal user interaction.

Mitigation

Apple addressed this vulnerability in iOS 8.4.1 [2] and OS X Yosemite v10.10.5 and Security Update 2015-006 for OS X Mavericks v10.9.5 [1]. Users should update their devices to the latest available versions as soon as possible. No workarounds are publicly documented. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog at the time of publishing.