Users of iPhones and Macs must update to avoid Stagefright-like bug

Do you remember Stagefright?

It one of the biggest Android security scares of 2015, after it was discovered that a critical bug in the operating system’s Mediaserver could mean that simply opening an email, browsing a website or receiving a media file via MMS could result in malicious code being run on your Android device.

Many millions of Android devices were thought to be vulnerable, and it was such a big deal that it stirred Google into getting more serious about how it would patch and roll-out updates to users in future.

Of course, if you were an iPhone user you couldn’t help but feel pretty smug about things.

Well, if you haven’t already done so, it’s time to wipe the smirk off your face.

Because now owners of iPhones, iPads, iMacs and MacBooks are facing their own Stagefright-like bug.

Earlier this week, Apple released patches for numerous security holes in its OS X and iOS operating systems, including five vulnerabilities that bear a chilling resemblance to Stagefright.


Impact: A remote attacker may be able to execute arbitrary code

Description: Multiple memory corruption issues were addressed through improved memory handling.

Just as with Stagefright, which haunted Android users, the attack works because of exploitable bugs in how Apple iPhones and Macs process image files to render a thumbnail. Vulnerabilities in that thumbnail rendering code can be exploited by a maliciously-crafted image file (including BMP and TIFF format files) to achieve remote code execution on the targeted device.

In short, malicious hackers could email a malformed TIFF to you, or direct you to a webpage where one is embedded, or simply send it directly to your phone via MMS if they knew your number. Whatever route they took, if an attacker managed to trick your computer into rendering the malformed image, your Mac computer or smartphone would be in danger.

The exploitable flaws were discovered by researchers at Cisco’s Talos team, who noted that boobytrapped image files “are an excellent vector for attacks since they can be easily distributed over web or email traffic without raising the suspicion of the recipient.”

The good news is that Apple issued fixes for the problem earlier this week. If you have already updated your systems to iOS 9.3.3, tvOS 9.2.2, watchOS 2.2.2, and El Capitan v10.11.6 then you have done the right thing.

iOS update

The further good news is that Apple users typically have a much easier time of installing updates for their chosen devices than many of their Android cousins.

Maybe you can afford to look a little bit smug after all… Just make sure that all your devices are patched before online criminals attempt to take advantage of this flaw.

Author Graham Cluley, We Live Security

Follow us

Copyright © 2016 ESET, All Rights Reserved.