Users of iPhones and Macs must update to avoid Stagefright-like bug

Do you remember Stagefright?

It one of the biggest Android security scares of 2015, after it was discovered that a critical bug in the operating system’s Mediaserver could mean that simply opening an email, browsing a website or receiving a media file via MMS could result in malicious code being run on your Android device.

Many millions of Android devices were thought to be vulnerable, and it was such a big deal that it stirred Google into getting more serious about how it would patch and roll-out updates to users in future.

Of course, if you were an iPhone user you couldn’t help but feel pretty smug about things.

Well, if you haven’t already done so, it’s time to wipe the smirk off your face.

Because now owners of iPhones, iPads, iMacs and MacBooks are facing their own Stagefright-like bug.

Earlier this week, Apple released patches for numerous security holes in its OS X and iOS operating systems, including five vulnerabilities that bear a chilling resemblance to Stagefright.


Impact: A remote attacker may be able to execute arbitrary code

Description: Multiple memory corruption issues were addressed through improved memory handling.

Just as with Stagefright, which haunted Android users, the attack works because of exploitable bugs in how Apple iPhones and Macs process image files to render a thumbnail. Vulnerabilities in that thumbnail rendering code can be exploited by a maliciously-crafted image file (including BMP and TIFF format files) to achieve remote code execution on the targeted device.

In short, malicious hackers could email a malformed TIFF to you, or direct you to a webpage where one is embedded, or simply send it directly to your phone via MMS if they knew your number. Whatever route they took, if an attacker managed to trick your computer into rendering the malformed image, your Mac computer or smartphone would be in danger.

The exploitable flaws were discovered by researchers at Cisco’s Talos team, who noted that boobytrapped image files “are an excellent vector for attacks since they can be easily distributed over web or email traffic without raising the suspicion of the recipient.”

The good news is that Apple issued fixes for the problem earlier this week. If you have already updated your systems to iOS 9.3.3, tvOS 9.2.2, watchOS 2.2.2, and El Capitan v10.11.6 then you have done the right thing.

iOS update

The further good news is that Apple users typically have a much easier time of installing updates for their chosen devices than many of their Android cousins.

Maybe you can afford to look a little bit smug after all… Just make sure that all your devices are patched before online criminals attempt to take advantage of this flaw.

Author Graham Cluley, We Live Security

  • How about if I still run Yosemite 10.10.5 on my Mac? Is that safer? I don’t want El Captain.

    • Shaun McDonald

      There’s a security update for Yosemite too.

    • Nigel Straightgrain

      Ditto Suzanna’s question. I still have things on my Mac that don’t work in El deCapitation, and my Mac Pro 6.1 (Late 2013) won’t let me install any OS X version lower than 10.10.5. The article doesn’t mention Yosemite…or Mavericks, for that matter, which Apple (supposedly) still supports.

      Does that mean any of the following for those OS X versions?
      1. They’re not affected by this vulnerability?
      2. Apple has patched them, but the article neglected to mention it?
      3. Apple has thrown Mavericks and Yosemite users under the bus, and we’re boned if we don’t downgrade to El Capitan?

      BTW, I might occasionally feel thankful that I don’t have as large a malware exposure hazard by using Apple products, but never smug. The bad guys target Apple users too. Vigilance is a universal requirement for anyone connected to the Internet.

  • disqus_5e0TvfIwh1

    Is ios 7.1.2 iphone 4 affected?

  • Tom

    So iphones still get trojans as well, all the people i know are not on the latest update who have iphones, they dont even know about this stuff unless its broadcast at 6.00pm on the news, fat chance of that so wipe your smugness away again.

Follow us

Copyright © 2018 ESET, All Rights Reserved.