There’s a new security threat for OS X and iOS that could let attackers remotely control your device or install malware by sending you an image file. The threat is fairly serious, although so far it’s still just a proof of concept, and Apple patched the flaw in OS X 10.11.6 and iOS 9.3.3.
Cisco’s Talos team discovered the flaw and created a proof of concept that works via Web browser on the Mac. It works by taking advantage of the operating system’s built in tools for automatically rendering images in apps such as Messages and Web browsers, and in certain cases doesn’t require any user action.
According to Talos, the exploit takes advantage of file properties in TIFF, OpenEXR, DAE, and BMP images. TIFF, however, is the most dangerous in this case because the exploit can be triggered by simply receiving an image.
The Talos team said,
This vulnerability is especially concerning as it can be triggered in any application that makes use of the Apple Image I/O API when rendering tiled TIFF images. This means that an attacker could deliver a payload that successfully exploits this vulnerability using a wide range of potential attack vectors including iMessages, malicious web pages, MMS messages, or other malicious file attachments opened by any application that makes use of the Apple Image I/O API for rendering these types of files.
The team also said the exploit affects OS X 10.11.5 and earlier, as well as iOS 9.3.2 and earlier. Updating to OS X 10.11.6 and iOS 9.3.3 addresses the issue, and Security Update 2016-004 patches the flaw for OS X Mavericks 10.9.5 and OS X Yosemite 10.10.5.
Stuck with Stagefright
This security flaw is being compared to Stagefright, a serious text message-based exploit for Android device users. While there are similarities in that they can both use MMS as a target vector, it also underscores one of Android’s big weaknesses: software updates.
Apple and Google both released patches for the respective exploits, but millions of Android users are still at risk because they can’t get the updates. Where Apple controls all updates for its devices, Google is often at the mercy of service providers who decide when—or if—Android device users will get updates.
Apple device users tend to update quickly, too, which helps cut down on potential malicious attacks.
The good news is that Apple did patch the image exploit before it had a chance to become more than a proof of concept, and the Talos crew waited until the patch was out to publish their findings.
OS X El Capitan users who haven’t updated to version 10.11.6 yet should hop to it, and OS X Mavericks and Yosemite users need to install the 2016-004 security update, too. And iOS users need to get the 9.3.3 update installed right away.
Sorry, Android users, you’re on your own.