CVE-2019-8657

Vulnerability

CVE-2019-8657 is an out-of-bounds read vulnerability in the CoreGraphics component on Apple platforms. Parsing a specially crafted office document can trigger the flaw. The issue affects iOS prior to 12.4, macOS Mojave prior to 10.14.6, tvOS prior to 12.4, and watchOS prior to 5.3 [1][2][3][4]. Apple addressed the issue with improved input validation.

Exploitation

An attacker must deliver a maliciously crafted office document to the target user. No special network position or authentication is required beyond convincing the user to open the document in an application that relies on the affected CoreGraphics parsing code (e.g., many office suites). The out-of-bounds read occurs during document parsing, and successful exploitation does not require additional user interaction after the document is opened.

Impact

Successful exploitation can lead to unexpected application termination (denial of service) or arbitrary code execution in the context of the application. The attacker gains the ability to execute code with the privileges of the user who opened the document, potentially leading to full system compromise on affected Apple devices.

Mitigation

Apple released fixes in iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, and watchOS 5.3 on July 22, 2019 [1][2][3][4]. Users should update their devices to these or later versions. There is no known workaround other than applying the patches. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of publication date.