It found that a vulnerability in Apple’s Image I/O API system allows the way that a certain TIFF file, a kind of image, is rendered to be hijacked. The vulnerabilities carry similar risks to last year’s Stagefright scare on Android.
Advertisement
Before you begin reading through the rest of this article, keep in mind that latest iOS and Mac updates are available and you must install them right now if you own either one or both the devices. Apple also announced that the security flaw has been patched in its latest security updates.
Cisco managed to showcase how the vulnerability affects OS X, and stated that the similarity with iOS’ code might make the mobile device just as exposed to threats.
Cisco’s Talos team discovered the flaw and created a proof of concept that works via Web browser on the Mac.
The hole is in the Image I/O API that is tasked with handling of pictures, something that means hackers can use a Tagged Image File Format (TIFF) file to force what is known as buffer overflow.
Because Apple’s API is used by many applications, the vulnerability can be triggered by anything from receiving an iMessage to visiting a website. A series of nasty bugs in Android’s media library made the headlines and caused widespread alarm.
Talos says that an attacker can deliver payload for launching the vulnerability by using MMS messages, iMessages, malicious webpages, or other file attachments that are malicious. Part of the problem with Stagefright was the lack of updates for most of the impacted phones.
The good news is that Apple did patch the image exploit before it had a chance to become more than a proof of concept, and the Talos crew waited until the patch was out to publish their findings.
Advertisement
On Monday, July 18, Apple issued updates of tvOS, WatchOS, OS X and iOS that patched a security vulnerability that could allow hackers to steal password and login info as users type them. Because of the comparatively large sizes of multimedia files, an attacker can easily replace some of the data with malicious bytes, without affecting the integrity of the file format.
