CVE-2014-4377 is an identifier for a vulnerability in the way the iOS CoreGraphics framework handles PDF files. This vulnerability is found in versions of the iOS operating system prior to version 8.
iPhone, iPad and iTouch devices which have not been (or in some cases, cannot be) upgraded to the latest operating system version are affected by this vulnerability. Apple TVs below version 7 are also affected.
A proof-of-concept (POC) exploit - complete with source code - targeting the CVE-2014-4377 vulnerability was made publicly available in late September 2014. At the time of writing, no attacks in-the-wild against this vulnerability have been reported.
This vulnerability may be exploited by a maliciously crafted PDF document. In a web-based scenario, users may be lured or redirected to a specially crafted webpage containing a malformed PDF document. As the Safari browser allows PDF documents to be automatically loaded and displayed as HTML images without user interaction, the user may be unaware of the presence of such documents on the page. If the exploit file is successfully loaded on the web browser of a vulnerable device, the vulnerability is then automatically exploited.
To successfully complete, an attack would need to exploit an additional vulnerability (CVE-2014-4378); exploit code targeting this vulnerability is also publicly available.
If an attack is successful, the attacker may remotely execute arbitrary code on the affected device and may, essentially, gain complete system control.
For more information, see: