Vulnerability identifier: #VU6576

Vulnerability risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-2497

CWE-ID: CWE-601

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apple iOS
Operating systems & Components / Operating system

Vendor: Apple Inc.

Description
The vulnerability allows a remote attacker to perform phishing attacks.

The weakness exists due to improper validation of user-supplied data used to redirect visitors to external pages. A remote attacker can create a specially crafted ebook, trick the victim into opening it and redirect a user to a malicious Web site that would appear to be trusted and obtain potentially sensitive information.

Successful exploitation of the vulnerability will allow to steal valid user's credentials and use the information to conduct further attacks.

Mitigation
Update to version 10.3.2.

Vulnerable software versions

Apple iOS: 10.3 - 10.3.1, 10.2 - 10.2.1, 10.1 - 10.1.1, 10.0.0 - 10.0.3, 9.2 - 9.2.1, 9.3.0 - 9.3.5, 9.1.0, 9.0.0 - 9.0.2

---

External links
http://support.apple.com/en-us/HT207798

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.