Exploit:iPhoneOS/CVE-2014-4377 identifies a maliciously crafted PDF document that attempts to exploit the CVE-2014-4377 vulnerability in iOS 7.1.x; successful exploitation would allow an attacker to remotely execute arbitrary code on the affected device.
When enabled, F-Secure Freedome will automatically block an exploit attempt against the CVE-2014-4377 vulnerability.
The vulnerabilities (CVE-2014-4377 and CVE-2014-4378) leveraged by this exploit are found in operating system versions prior to iOS 8. To proactively prevent exploitation, please refer to the system vendor for the latest updates and additional advice.
CVE-2014-4377 is an identifier for a vulnerability in the way the iOS CoreGraphics framework handles PDF files. This vulnerability is found in versions of the iOS operating system prior to version 8.
iPhone, iPad and iTouch devices which have not been (or in some cases, cannot be) upgraded to the latest operating system version are affected by this vulnerability. Apple TVs below version 7 are also affected.
A proof-of-concept (POC) exploit - complete with source code - targeting the CVE-2014-4377 vulnerability was made publicly available in late September 2014. At the time of writing, no attacks in-the-wild against this vulnerability have been reported.
This vulnerability may be exploited by a maliciously crafted PDF document. In a web-based scenario, users may be lured or redirected to a specially crafted webpage containing a malformed PDF document. As the Safari browser allows PDF documents to be automatically loaded and displayed as HTML images without user interaction, the user may be unaware of the presence of such documents on the page. If the exploit file is successfully loaded on the web browser of a vulnerable device, the vulnerability is then automatically exploited.
To successfully complete, an attack would need to exploit an additional vulnerability (CVE-2014-4378); exploit code targeting this vulnerability is also publicly available.
If an attack is successful, the attacker may remotely execute arbitrary code on the affected device and may, essentially, gain complete system control.
For more information, see: