According to security research firm Cisco Talos, the bug lies in Apple’s handling of TIFF image files received in messages. TIFF is a file format popular with photographers and graphics artists who need to maintain a high quality in images. It is a lossless format, creating large detailed files.
Cisco Talos discovered a vulnerability in the way Apple’s operating systems parse TIFF files. It discovered that TIFF images rendered by applications using the Image I/O API can be exploited to gain access to a device. Because iMessage uses this API, it is affected and could allow hackers to control an iPhone or Mac by sending a message and attaching a TIFF image.
When exploited successfully with a specially crafted TIFF file, the image causes a buffer overflow. This allows the attacker to remotely execute code on the target device, effectively gaining control of the system. The bug affects four Apple operating systems, iOS, Mac OS X, watchOS and tvOS.
Cisco Talos also detailed three other separate but related vulnerabilities relating to Apple’s handling of other image formats. OpenEXR, Digital Asset Exchange and BMP files can also be exploited to gain control of the company’s products.
“Image files are an excellent vector for attacks since they can be easily distributed over web or email traffic without raising the suspicion of the recipient,” said Cisco Talos. “These vulnerabilities are all the more dangerous because Apple Core Graphics API, Scene Kit and Image I/O are used widely by software on the Apple OS X platform.”
The vulnerabilities carry similar risks to last year’s Stagefright scare on Android. A series of nasty bugs in Android’s media library made the headlines and caused widespread alarm. Sending crafted multimedia messages, email attachments or web pages to an Android phone could give a hacker complete control of the device. The vast majority of Android products were affected.
Part of the problem with Stagefright was the lack of updates for most of the impacted phones. The fragmented Android ecosystem means many of the handsets will never be patched, leaving them vulnerable to attack forever. Apple’s platforms do not have this weakness and a patch for all the affected products has already been released.
To stay secure, you should update iOS products to version 9.3.3, OS X El Capitan to 10.11.6, tvOS to 9.2.2 and watchOS to 2.2.2. The updates should be available now and will automatically download and prompt to install for the majority of users.
The discovery of a Stagefright-style bug in Apple’s ecosystem, generally viewed as more secure than Android, is indicative of the threats that multimedia files can hide. Few people consider an image or video to be dangerous but these files can easily be exploited and “weaponised.”
Because of the comparatively large sizes of multimedia files, an attacker can easily replace some of the data with malicious bytes, without affecting the integrity of the file format. The altered file can be used to exploit any vulnerability in the library of code that will eventually parse and render it, as in Stagefright and the newly found bugs in Apple’s platforms.