Update ASAP! Apple Patches Serious Remote Code Execution Vulnerability In iDevices And Macs

If you’re one of those folks that lollygags around when it comes to updating your iPhone to the latest version of iOS, you might want rethink that strategy. Apple released iOS 9.3.3 last week, and tucked inside the software update were some operating system tweaks and the usual bevy of security patches.

iPhone 6s Plus

One security patch in particular fixed a rather nasty vulnerability that can leave your Apple device open to attackers using a simple iMessage. The exploit allows an attacker to send a seemingly innocent TIFF image file via iMessage that actually contains a rather malicious payload. Cisco Talos describes the severity of the exploit, writing:

When rendered by applications that use the Image I/O API, a specially crafted TIFF image file can be used to create a heap based buffer overflow and ultimately achieve remote code execution on vulnerable systems and devices. This vulnerability is especially concerning as it can be triggered in any application that makes use of the Apple Image I/O API when rendering tiled TIFF images.

According to Cisco Talos, not only are iMessages vulnerable, but MMS, email messages and webpages that take advantage of Apple’s Image I/O API could also be duped by this TIFF exploit. This all sounds strikingly similar to the Stagefright exploit that dogged millions of Android devices around the globe, however, there’s one critical difference between this new iOS exploit and Stagefright: the speed in which an update is provided.

In the case of Stagefright, it took a while for OEMs to begin pushing out updates to squash the bug (and some older devices never received an update). iOS, on the other hand, has a rather streamlined update process and users tend to take better advantage of the built-in software update mechanism.

Software updates that ward off this TIFF exploit are available across all of Apple’s operating systems including iOS (9.3.3), El Capitan (10.11.6), tvOS (9.2.2) and even watchOS (2.2.2). So unless you want to be the victim of a sophisticated hacker, we recommend that you update all of your Apple devices immediately (if you haven’t already done so).


Via:  Cisco Talos
Show comments blog comments powered by Disqus