CVE-2017-7005

Vulnerability

CVE-2017-7005 is a memory corruption vulnerability in the JavaScriptCore component of Apple iOS before 10.3.2, Safari before 10.1.1, and tvOS before 10.2.1 [1][2][3]. The bug arises during JSArray::fastSlice when a type confusion occurs between array indexing types after JSGlobalObject::haveABadTime is called [4]. Specifically, arrays created after a "bad time" are forced into ArrayWithSlowPutArrayStorage, but arrays from another JSGlobalObject can retain different indexing types, leading to memory corruption when memcpy assumes a consistent type [4].

Exploitation

An attacker must lure a victim into visiting a crafted malicious web site [1][3]. The exploit requires no special network position beyond serving the page. The type confusion in the fastSlice operation (triggered when a JavaScript operation uses Array.prototype.slice on arrays from different global objects) leads to a mismatch between the expected and actual array storage type, causing out-of-bounds memory access [4]. No authentication or user interaction beyond loading the page is required.

Impact

Successful exploitation allows remote arbitrary code execution within the context of the affected application (Safari, WebKit) or may cause a denial of service through application crash [1][3]. The attacker gains the ability to execute arbitrary code with the privileges of the user running the browser, potentially leading to further compromise of the system [2][3].

Mitigation

Apple addressed this issue in iOS 10.3.2, Safari 10.1.1, and tvOS 10.2.1, all released on May 15, 2017 [1][2][3]. Users should update to these or later versions. No workarounds are provided in the references. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the available references.