Apple on Thursday patched a handful of vulnerabilities in several iterations of its Keynote, Pages, Numbers and iWork productivity software.
The most serious of the security flaws allow an attacker to execute code on a compromised OS X computer running Yosemite 10.10.4 or later, or iOS 8.4 or later on mobile devices.
Keynote 6.6, Pages 5.6, Numbers 3.6, and iWork for iOS 2.6 were vulnerable to multiple input validation vulnerabilities that could be exploited when parsing a document hosting an exploit. Apple said opening a malicious document in either of the applications could lead to loss of user information; it addressed the problem by improving input validation, Apple said.
A separate memory corruption vulnerability could also be exploited in Keynote, Pages and Numbers that could crash the application and result in an attacker being able to run code on the affected machine.
Another memory corruption flaw exists in Pages exclusively that could also lead to Pages crashing and the attacker running code of their choice. In both cases, Apple said it improved memory handling to address the vulnerability.
Mozilla Patches Flaw in Firefox
Also on Thursday, Mozilla announced it had made Firefox 41.0.2 available.
The updated version of the browser patched a cross-origin restriction bypass vulnerability Mozilla ranked “high.”
Mozilla said in its advisory that the fetch()API in Firefox did not correctly implement the corss-origin resource sharing specification. As a result, an attacker hosting a malicious webpage could access private data from other origins.