Apple Pages, Numbers, Keynote Input Validation and XXE (CVE-2015-7032)

In June of 2015, Patrik Fehrenbach and I were able to identify a series of vulnerabilities in a few of Apple’s productivity applications: Pages, Numbers, as well as Keynote available for OS X and iOS 8.x (or older). In short, the application failed to validate the input while parsing a document.