According to Apple, 14 per cent of iOS devices run iOS 8 or earlier, the software which the vulnerability is present. The latest version of OS X is El Capitan 10.11.6, and it is compatible with most Mac laptops and desktops dating back to mid-2007.
Advertisement
According to Talos, the exploit takes advantage of file properties in TIFF, OpenEXR, DAE, and BMP images.
‘This vulnerability is especially concerning as it can be triggered in any application that makes use of the Apple Image I/O API when rendering tiled TIFF images, ‘ the researchers say. “This vulnerability can be exploited to then cause remote code execution on the device”, said Bohan.
The hole is in the Image I/O API that is tasked with handling of pictures, something that means hackers can use a Tagged Image File Format (TIFF) file to force what is known as buffer overflow.
The problem is not entirely unlike the Stagefright bug that hit the world’s Android users previous year.
The most serious of the bugs is in TIFF image processing, named CVE-2016-4631. In other words, if you don’t update your equipment, a basic text message could put your passwords, photos and other data in danger.
The company is warning of an unusual vulnerability right now, that can allows a hacker to get into your phone with an infected email or message.
Owners of iPhones and iPads should upgrade to the latest iOS 9.3.3 version. Calls from Skype and WhatsApp will come in on the lock screen, and iOS 10 will also automatically figure out how you message contacts-so if you iMessage your mom but WhatsApp your best friend in London, those will automatically set as the default messaging services for each.
Unfortunately, this update is not available if you have an iPhone 4 or older model. Apple usually rolls out with updates, but it is the iOS 9.3.3 that improves the performance and security of devices at once.
Advertisement
The good news is that Apple did patch the image exploit before it had a chance to become more than a proof of concept, and the Talos crew waited until the patch was out to publish their findings. Just as in the case of Android’s Stagefright, users don’t have to do anything for the malicious software to start working.
