David Drysdale

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 9.3 **Description** The issue is related to the XPC Services API in LaunchServices, which has inadequate access control. This allows an attacker to bypass event-handler restrictions and modify events of arbitrary apps using a crafted app. The estimated number of potentially affected devices is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** For versions prior to 9.3, update to iOS version 9.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of the XPC Services API in LaunchServices to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** libxml2 versions prior to 2.9.3 **Description** The issue is related to the `xmlStringLenDecodeEntities` function in `parser.c` of the libxml2 library, which is associated with resource management errors. Exploitation of this issue may allow a remote attacker to cause a denial of service (CPU consumption) using specially crafted XML data. This can be achieved by context-dependent attackers via crafted XML data, allowing them to consume CPU resources. **Recommendations** For libxml2 versions prior to 2.9.3, update to version 2.9.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `xmlStringLenDecodeEntities` function in `parser.c` to minimize the risk of exploitation. Avoid using crafted XML data that could trigger entity expansion, which may lead to CPU consumption.

**Name of the Vulnerable Software and Affected Versions** libxml2 (affected versions not specified) **Description** The issue is related to insufficient restriction of XML links to external objects in the libxml2 library's XML file parser. This can be exploited by a remote attacker using a specially crafted XML document to cause a denial of service, specifically memory consumption, through an XML Entity Expansion (XEE) attack. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.