CVE-2016-4686 Apple CVE debrief

Who should care

iOS fleet administrators, MDM and endpoint management teams, and app owners or developers whose software uses Contacts/Address Book permissions on Apple devices.

Technical summary

The issue affects the Contacts component on iOS and involves access revocation not being enforced for an app’s Address Book access. NVD’s record lists affected iPhone OS versions through 10.0.3, while the CVE description states iOS before 10.1. The supplied CVSS vector (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) indicates a local, low-privilege issue with limited confidentiality and integrity impact and no availability impact.

Defensive priority

Medium — prioritize remediation on any devices that may still run pre-10.1 iOS, especially where app permission revocation is relied on for privacy control.

Recommended defensive actions

• Update affected Apple devices to iOS 10.1 or later.
• Inventory device versions to identify any systems still on pre-10.1 builds.
• Review apps that request Contacts/Address Book access and verify revocation behavior on managed devices.
• Use MDM or equivalent controls to enforce minimum supported iOS versions.
• Reassess privacy controls and user guidance around Contacts permissions after patching.

Evidence notes

The CVE description supplied here states that iOS before 10.1 is affected and that the Contacts component does not prevent Address Book access after revocation. NVD metadata adds the affected CPE criteria (iPhone OS through 10.0.3), the CVSS v3.0 vector, and a reference to Apple’s advisory at support.apple.com/HT207271. The corpus does not provide exploit details, and no KEV or ransomware signal is supplied.

Official resources