Operating System:

[MAC][Apple iOS]

Published:

16 October 2015

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2015.2612 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.2612
        Keynote 6.6, Pages 5.6, Numbers 3.6, and iWork for iOS 2.6
                              16 October 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Apple Keynote
                   Apple Pages
                   Apple Numbers
                   Apple iWork
Publisher:         Apple
Operating System:  Apple iOS
                   OS X
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-7034 CVE-2015-7033 CVE-2015-7032
                   CVE-2015-3784  

Reference:         ESB-2015.2114
                   ESB-2015.2113

Original Bulletin: 
   https://support.apple.com/en-au/HT205373

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2015-10-15-1  Keynote 6.6, Pages 5.6, Numbers 3.6, and
iWork for iOS 2.6

Keynote 6.6, Pages 5.6, Numbers 3.6, and iWork for iOS 2.6 are now
available which address the following:

Keynote, Pages, and Numbers
Available for:  OS X Yosemite v10.10.4 or later, iOS 8.4 or later
Impact:  Opening a maliciously crafted document may lead to
compromise of user information
Description:  Multiple input validation issues existed in parsing a
maliciously crafted document. These issues were addressed through
improved input validation.
CVE-ID
CVE-2015-3784 : Bruno Morisson of INTEGRITY S.A.
CVE-2015-7032 : Behrouz Sadeghipour (@Nahamsec) and Patrik Fehrenbach
(@ITSecurityguard)

Keynote, Pages, and Numbers
Available for:  OS X Yosemite v10.10.4 or later, iOS 8.4 or later
Impact:  Opening a maliciously crafted document may lead to
unexpected application termination or arbitrary code execution
Description:  A memory corruption issue existed in parsing a
maliciously crafted document. This issue was addressed through
improved memory handling.
CVE-ID
CVE-2015-7033 : Felix Groebert of the Google Security Team

Pages
Available for:  OS X Yosemite v10.10.4 or later, iOS 8.4 or later
Impact:  Opening a maliciously crafted Pages document may lead to
unexpected application termination or arbitrary code execution
Description:  A memory corruption issue existed in parsing a
maliciously crafted Pages document. This issue was addressed through
improved memory handling.
CVE-ID
CVE-2015-7034 : Felix Groebert of the Google Security Team

Keynote 6.6, Pages 5.6, Numbers 3.6, and iWork for iOS 2.6 may
be obtained from the App Store.

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

- -----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJWIChpAAoJEBcWfLTuOo7tm6wP/A7VLym8s1mxvtZtkL6rlP9G
LDuDKD6Q+ukd4EU41unLvgJC3DrC5XmJKBySrReX7hLBbHMElCFOa971+GVZl4aE
9gbX3zJvNf9uIzP3VSpmYw1tIdZVXr275ypdG+Nlc1YBCpcdMD6ohD9dJD1zdG8l
ieuEvRFFUFGdgtIk5PO6YKHstYFkcQbbmt/uy61y3CglIDWyPOeJ7m6DWlCPYB3I
PtY82ust1XPpJT0WSH3sfLyhluoq89VFPmiZhwDnOUopWuLmNoLntoQFnbCnRNwd
5nGzjukKGe8eQQ5guZP8wo+t57Rz37povvDWOXxvuk2mjjr0+ejQpRk+c7/4aIkX
Uyz4nW4DGCEjXDA8/yT5HXWHb7m28WehV5fnUiNVkl0PltwLY5nlSk29sD2BMiT6
DY3KUXT6ppZxqVMm3HEzM3VQKD5kfiFJkzXx1QtOzx4mAyTUKqN98Ni7ijf/O7CI
xjyNOCBNcMRtqA0ySUncvMiCeRo1b7Y2hthqY6GtmRjKbq2D8ooZyiEHGv6E10g1
Hn46jPJWPKcOMudszPUc2/AIaj94+Xb7Esq3wUSkz5e7c068oxUFBZLjVDeH8P8i
/3AUN6OXLVoGCkQvdv0kvsmQDsTJqq3iUkBSDSzE5RD8GDYh+cyi+54ZFV7BKhCi
ikrC4CqPxEcf3lk6bXKi
=Zci4
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBViBfPn6ZAP0PgtI9AQJghBAAq90Ncu3y3vmyVokqeEf3xzpNPhYS9ttE
LinjPsisdVbujWPmixNpJ4C6RNbtPIiNfUpj4CvrtWmWiIcXSwIzNMn9C6D8kVU/
kA86Ycendkldl2r/sW/heuCot99sD+agZA85fslg1wUzAESP22TCWhXM15NuevqE
BO1dYFvS7q1wjMd6MXIrBncWbq1N0eK4NM28GT3q4wwA1ioJcpsFkE8qgjALCLY3
AUONm0GqNfCrI4tc41KkbeISRoR+K2Yu5eMNQF10Ox/guzY7O2q/KmH3U+L7LJ1D
M+isHJUwafCqzo9aqtFiV+cJxocJyqt65pePouSbunC3zgnHXCxfG1gd6qma5q8/
/dTIgSAqJ6RLQqz5M/p4ssO40Uvr8592v1eO+d3ri8pd4Df3gDD33b/xP0Nip5mZ
QSl8fCyT2C/T3q1hDpiqkCuImKy4isfCKvo2TXosTpMWoMCwJpIX7ASqvWZXZkUy
R1q0dmfFs6Rez7gE01UDKtLAlvRmOu6WdJjZH8u9v5RACjAd0E4P37XOQMbAl8UG
zRMkJbDhTSEcZxCVInL6p++QOpBlGYcZbkEwuKGWhh0/xAWze6ktlQVbL85rcWgw
DuymUaK4LZ6cAlhqyk1qQoga7KoQRdLIVRKIUbxcKsJmTBoA7J8wqIMXPMEKvej8
rwNlSa2xVpo=
=V2ym
-----END PGP SIGNATURE-----