Security researchers last year discovered what they described as ‘the worst Android vulnerability ever,’ able to infect a phone with malware simply by sending an MMS message to it. The vulnerability, dubbed Stagefright, didn’t even require people to open the message for their phone to be infected.
A Cisco researcher has now discovered a similar vulnerability in OS X and iOS, that could allow an attacker to gain access to your stored passwords and files simply by sending you a malicious image file …
Cisco Talos has discovered a vulnerability in the way in which the Image I/O API parses and handles tiled TIFF image files. When rendered by applications that use the Image I/O API, a specially crafted TIFF image file can be used to create a heap based buffer overflow and ultimately achieve remote code execution on vulnerable systems and devices.
Because the vulnerability applies to an Apple API used by a wide range of apps, it can in principle be triggered by anything from receiving an iMessage to visiting a webpage. As with Stagefright, no user interaction is required.
This vulnerability is potentially exploitable through methods that do not require explicit user interaction since many applications (i.e. iMessage) automatically attempt to render images when they are received in their default configurations. As this vulnerability affects both OS X 10.11.5 and iOS 9.3.2 and is believed to be present in all previous versions, the number of affected devices is significant.
Cisco did not release details of the vulnerability until it was patched by Apple, but you should ensure all your devices are running the latest versions to ensure you are protected. These are iOS 9.3.3, El Capitan 10.11.6, tvOS 9.2.2 and watchOS 2.2.2. However, Apple hasn’t yet released patches for either Mavericks or Yosemite.
MacWorld notes that what Cisco has demonstrated is simply a proof of concept at this stage. There is nothing to suggest that there are any exploits in the wild, and Cisco has so far only demonstrated the vulnerability in OS X, simply noting that shared code with iOS means that it is likely to apply to iOS devices also. Additionally, while infection by a malicious webpage has been demonstrated, MMS and iMessage have so far only been shown to be a potential risk: Cisco hasn’t yet proven that these vectors work in practice.
The executive summary, then, is that there’s no cause for great concern, but as ever it’s a good idea to promptly install OS updates to be sure.