Palo Alto Networks researchers Tongbo Luo and Bo Qu are credited with discovering a new vulnerability (CVE-2015-7066) in OpenGL and Webkit that impacts all of Apple’s major products, including:
- iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
- Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
- OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 and v10.11.1
- Apple TV (4th generation)
CVE-2015-7066 is a memory corruption issue that can lead to remote code execution when a user views a maliciously crafted website. This vulnerability can be exploited through a drive-by attack embedded in a website, or through a phishing attack using e-mail messages to lure victims to a malicious link.
At this time we are not aware of any attacks exploiting this vulnerability in the wild.
By proactively identifying vulnerabilities, developing protections for our customers, and sharing them with Apple for patching, we are removing weapons used by attackers to compromise enterprise, government and service provider networks.
We have released IPS signature 38581 to detect this vulnerability in our Threat Prevention product.