Last year, the notorious “Stagefright” flaw in Google’s Android operating system affected millions of devices, allowing hackers to execute code simply by sending a malicious MMS message.
Dubbed one of the biggest security concerns ever, the vulnerability appears to be back – this time, targeting iPhones, iPads, iMacs and Macbooks.
According to senior security researcher Tyler Bohan at Cisco Talos, the Stagefright-like bug (CVE-2016-4631) resides in ImageIO, which is used in the handling of TIFF image files.
In a blog post, Bohan explained:
“The Tagged Image File Format (TIFF) is a file format that is popular with graphic artists, photographers and the publishing industry because of its ability to store images in a lossless format. TIFF was created to try to establish a common scanned image file format in the mid 1980s. Cisco Talos has discovered a vulnerability in the way in which the Image I/O API parses and handles tiled TIFF image files. When rendered by applications that use the Image I/O API, a specially crafted TIFF image file can be used to create a heap based buffer overflow and ultimately achieve remote code execution on vulnerable systems and devices.”
An attacker could attempt to exploit the vulnerability using a variety of potential attack vectors, including iMessages, malicious web pages, MMS messages or other malicious file attachments opened by an application that leverages ImageIO, warned Bohan.
“Furthermore, depending on the delivery method chosen by an attacker, this vulnerability is potentially exploitable through methods that do not require explicit user interaction since many applications (i.e. iMessage) automatically attempt to render images when they are received in their default configurations,” said Bohan.
Like the Android Stagefright bug, successful exploitation could allow an attacker to execute arbitrary code on a user’s device, such as adding the device to their botnet or installing more intrusive malware.
The good news is Apple has issued a fix and is urging users to download the latest versions of iOS and Mac OS X to protect themselves. Nonetheless, the number of devices still vulnerable is expected to be significant.
The bug affects OS X 10.11.5 and iOS 9.3.2 and is believed to be present in all previous versions.
“Exploitation wise, Talos estimates there is about a two-week effort to get from the information we disclosed publicly to a fully working exploit with a decent amount of reliability,” said Bohan.