CVE-2017-13892

Vulnerability

An issue existed in the handling of Contact sharing on macOS High Sierra 10.13.1 and earlier, Sierra, and El Capitan. The vulnerability allowed sharing contact information in a way that could lead to unexpected data sharing. The issue was addressed with improved handling of user information. The fix is included in macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan [1].

Exploitation

An attacker would need to convince a user to share their contact information through an app or service that leverages the Contacts framework. The vulnerability involves a failure to properly restrict the scope of shared data, potentially exposing more information than intended. No technical details about the exact exploitation sequence are disclosed in the available reference [1].

Impact

Successful exploitation could result in unintended disclosure of contact information to third parties, violating the user's expectation of privacy. The impact is limited to information disclosure (confidentiality) and does not affect the integrity or availability of the system [1].

Mitigation

Apply the software updates provided by Apple: macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, or Security Update 2017-005 El Capitan, all released on December 6, 2017 [1]. No workaround is documented; users should update to the patched versions.