CVE-2016-1796

Vulnerability

A heap-based buffer overflow vulnerability exists in the GetUncompressedBitmapRepresentation method of Apple Type Services (ATS) on Apple OS X El Capitan before 10.11.5 [1][2]. The flaw is due to improper validation of the length of user-supplied data before copying it to a heap-based buffer [2]. This affects all versions of OS X El Capitan 10.11 prior to 10.11.5 [1].

Exploitation

An attacker can trigger this vulnerability by convincing a user to open a crafted file or visit a malicious page [2]. No authentication is required, and the attacker does not need any special system access [2]. The crafted app must call the vulnerable ATS API with specially crafted bitmap data to trigger the out-of-bounds write [2].

Impact

Successful exploitation can result in the disclosure of sensitive kernel memory layout information or an out-of-bounds memory access that causes a denial of service [1][2]. In the context of user-level exploitation, arbitrary code execution under the user's privileges is possible [2]. The kernel memory information leak could aid in further attacks.

Mitigation

Apple released OS X El Capitan 10.11.5 on May 18, 2016, which addresses this vulnerability through improved memory handling [1]. Users should update to OS X El Capitan v10.11.5 or later [1]. No workarounds are documented in the available references. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.