coresymbolicationd in CoreSymbolication in Apple OS X prior to 10.10.2 does not verify that expected data types are present in XPC messages, which allows malicious users to execute arbitrary code in a privileged context via a crafted app, as demonstrated by lack of verification of xpc_dictionary_get_value API return values during handling of a (1) match_mmap_archives, (2) delete_mmap_archives, (3) write_mmap_archive, or (4) read_mmap_archive command.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apple mac os x |