‘Apple’s Stagefright’: iOS And Mac Users Urged To Update Immediately

iPhone, iPad and Mac users are being urged to download the latest version of iOS and Mac OS X in order to protect themselves from a vulnerability that could allow malicious code to be executed on their device simply by downloading a dodgy image file.

In total iOS 9.3.3 fixes 40 vulnerabilities and Mac OS X patches 63, but it is CVE-2016-4631, discovered by researchers at Cisco’s Talos security division, that is attracting the most attention with one researcher claiming it has the potential to be Apple’s ‘Stagefright’.

The flaw relates to how Apple’s Image I/O API handles TIFF files – a standard created in the 1980s for scanned images.

TIFF image vulnerability

Because images can be sent across the web without raising too much suspicion, the scope for exploitation is significant, especially since all versions of Mac OS and iOS are believed to be vulnerable.

“When rendered by applications that use the Image I/O API, a specially crafted TIFF image file can be used to create a heap based buffer overflow and ultimately achieve remote code execution on vulnerable systems and devices,” said Talos.

“This vulnerability is especially concerning as it can be triggered in any application that makes use of the Apple Image I/O API when rendering tiled TIFF images. This means that an attacker could deliver a payload that successfully exploits this vulnerability using a wide range of potential attack vectors including iMessages, malicious web pages, MMS messages, or other malicious file attachments opened by any application that makes use of the Apple Image I/O API for rendering these types of files.

“Furthermore, depending on the delivery method chosen by an attacker, this vulnerability is potentially exploitable through methods that do not require explicit user interaction since many applications (i.e. iMessage) automatically attempt to render images when they are received in their default configurations. As this vulnerability affects both OS X 10.11.5 and iOS 9.3.2 and is believed to be present in all previous versions, the number of affected devices is significant.”

Apple’s Stagefright?

Security expert Graham Clulely said the vulnerability echoed Stagefright, which affected millions of Android devices and encouraged Google to take a much more hands on approach to security. A flaw in the Android Mediaserver meant opening an email, browsing a webpage or opeing an MMS attachment could allow malicious code to run on a vulnerable smartphone or tablet.

“In short, a malicious hacker could email a malformed TIFF to you, or direct you to a webpage where one is embedded, or simply send it directly to your phone via MMS if they knew your number,” he said. “Whatever route they took, if an attacker managed to trick your computer into rendering the malformed image, your Mac computer or smartphone would be in danger.”

Other vulnerabilities fixed by Apple include a bug in the iOS calendar app, a persistent cookie vulnerability in Mac and a flaw on both platforms relating to Facetime.

“An attacker in a privileged network position may be able to cause a relayed call to continue transmitting audio while appearing as if the call terminated,” said Apple.

Quiz: What do you know about Apple?

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Recent Posts

US Approves SpaceX Starlink For Planes, Trains And … Ships

US FCC regulator gives its official approval for SpaceX to use its Starlink satellite internet…

5 hours ago

Bitcoin Falls Below $19,000, But Recovers Slightly Friday

Ominous sign for crypto markets? The value of Bitcoin dropped over 6 percent to below…

6 hours ago

Meta Slashes Hiring As It Braces For Downturn – Report

CEO Mark Zuckerberg tells staff to brace for a deep economic downturn, as Meta cuts…

7 hours ago

Silicon In Focus Podcast: Connected Business

Is the definition of a ‘connected business’ very different today than it was just two…

9 hours ago

BT Disappointed As CWU Votes To Strike, Despite 5 To 8 Percent Pay Rise

First strike in 35 years after BT staff with the e Communications Workers Union vote…

1 day ago