CVE-2016-7666 Apple CVE debrief

Who should care

Apple Transporter users, build/release engineers, IT administrators, and developers who rely on iTMSTransporter, especially on systems still running Transporter 1.9.1 or earlier.

Technical summary

NVD classifies the issue as CWE-200 and maps it to Transporter versions up to 1.9.1. The CVSS 3.0 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, which indicates a local attack path requiring user interaction and resulting in high confidentiality impact without integrity or availability impact. The vulnerable component is iTMSTransporter, and the triggering condition is a crafted EPUB.

Defensive priority

Medium priority for any environment that still uses Apple Transporter 1.9.1 or earlier. The issue is not remote-code-execution and does not affect integrity or availability, but it can expose sensitive data, so upgrades should be prioritized where Transporter is installed and used with untrusted EPUB content.

Recommended defensive actions

• Upgrade Apple Transporter to 1.9.2 or later.
• Inventory systems and build pipelines to find installed Transporter versions at 1.9.1 or below.
• Limit exposure to untrusted EPUB inputs in workflows that invoke iTMSTransporter.
• Review Apple's support advisory for any vendor-specific remediation guidance and deployment notes.

Evidence notes

This debrief is based on the supplied CVE description and NVD record. The corpus states that Apple Transporter before 1.9.2 is affected, the issue is in iTMSTransporter, and sensitive information can be obtained via a crafted EPUB. NVD also provides the CVSS 3.0 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N and CWE-200 classification. An Apple support advisory and a third-party bulletin are referenced by NVD, but their full contents were not included in the supplied corpus.

Official resources