iOS 9.3.3 and Mac OS X 10.11.6 fix a range of vulnerabilities but none so important as a TIFF flaw that affects all versions
iPhone, iPad and Mac users are being urged to download the latest version of iOS and Mac OS X in order to protect themselves from a vulnerability that could allow malicious code to be executed on their device simply by downloading a dodgy image file.
In total iOS 9.3.3 fixes 40 vulnerabilities and Mac OS X patches 63, but it is CVE-2016-4631, discovered by researchers at Cisco’s Talos security division, that is attracting the most attention with one researcher claiming it has the potential to be Apple’s ‘Stagefright’.
The flaw relates to how Apple’s Image I/O API handles TIFF files – a standard created in the 1980s for scanned images.
TIFF image vulnerability
“When rendered by applications that use the Image I/O API, a specially crafted TIFF image file can be used to create a heap based buffer overflow and ultimately achieve remote code execution on vulnerable systems and devices,” said Talos.
“This vulnerability is especially concerning as it can be triggered in any application that makes use of the Apple Image I/O API when rendering tiled TIFF images. This means that an attacker could deliver a payload that successfully exploits this vulnerability using a wide range of potential attack vectors including iMessages, malicious web pages, MMS messages, or other malicious file attachments opened by any application that makes use of the Apple Image I/O API for rendering these types of files.
“Furthermore, depending on the delivery method chosen by an attacker, this vulnerability is potentially exploitable through methods that do not require explicit user interaction since many applications (i.e. iMessage) automatically attempt to render images when they are received in their default configurations. As this vulnerability affects both OS X 10.11.5 and iOS 9.3.2 and is believed to be present in all previous versions, the number of affected devices is significant.”
Security expert Graham Clulely said the vulnerability echoed Stagefright, which affected millions of Android devices and encouraged Google to take a much more hands on approach to security. A flaw in the Android Mediaserver meant opening an email, browsing a webpage or opeing an MMS attachment could allow malicious code to run on a vulnerable smartphone or tablet.
“In short, a malicious hacker could email a malformed TIFF to you, or direct you to a webpage where one is embedded, or simply send it directly to your phone via MMS if they knew your number,” he said. “Whatever route they took, if an attacker managed to trick your computer into rendering the malformed image, your Mac computer or smartphone would be in danger.”
Other vulnerabilities fixed by Apple include a bug in the iOS calendar app, a persistent cookie vulnerability in Mac and a flaw on both platforms relating to Facetime.
“An attacker in a privileged network position may be able to cause a relayed call to continue transmitting audio while appearing as if the call terminated,” said Apple.