CVE-2016-7650 Apple CVE debrief

Who should care

Apple users and administrators responsible for iOS and Safari patching, especially fleets that may still run iOS before 10.2 or Safari before 10.0.2.

Technical summary

The vulnerability is described as a UXSS issue in the Safari Reader component. NVD assigns CVSS 3.0 vector AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network reachability, required user interaction, changed scope, and limited confidentiality/integrity impact. The NVD weakness mapping is CWE-79.

Defensive priority

Patch affected Apple devices and browsers promptly if they remain within the vulnerable version ranges. This is not listed as a KEV item in the supplied corpus, but it still merits attention because it affects a user-facing browser component and requires only a crafted website to trigger.

Recommended defensive actions

• Update iOS to 10.2 or later on affected devices.
• Update Safari to 10.0.2 or later on affected systems.
• Inventory Apple devices and browsers to confirm none remain in the vulnerable ranges.
• Apply the Apple security advisories referenced by NVD (HT207421 and HT207422) and verify the fixes are present.
• Treat the issue as a browser-originated UXSS/CWE-79 class problem when reviewing web access risk and user exposure.

Evidence notes

The supplied CVE description states that iOS before 10.2 and Safari before 10.0.2 are affected and that Safari Reader can be abused via a crafted website for UXSS. The NVD metadata lists vulnerable CPE ranges for iPhone OS through 10.1.1 and Safari through 10.0.1, plus CVSS 3.0 vector AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N and CWE-79. NVD references Apple support advisories HT207421 and HT207422.

Official resources