One Innocuous Photo Could Render Your iPhone and Mac Defenseless

"The number of affected devices is significant." Or is it?

Wikimedia Commons

On Tuesday, cybersecurity firm Cisco Talos disclosed a major Apple product vulnerability. It’s now patched, so as long as you update your software as soon as possible, you’ll be spared. Until then, just loading a single photo — be it on the wrong website, via an iMessage or MMS, or via an email attachment — can hand over your entire set of virtual keys.

Apple doesn’t release information on vulnerabilities until they’ve been patched, as hackers would otherwise have field days exploiting them. Apple released the patch on Monday, though did not share many details. The patch’s explanation in both the iOS and OS X release notes merely states that a “remote attacker may be able to execute arbitrary code.”

But Cisco Talos tells a different story: the bad file type in question is a TIFF — an image file that’s useful for graphic designers and photographers, because it’s an essentially complex, lossless photo file. But for the same reasons, TIFFs are useful to hackers.

“Image files are an excellent vector for attacks since they can be easily distributed over web or email traffic without raising the suspicion of the recipient,” Cisco Talos writes. Apple’s ImageIO API — which is what Apple products employ to load or otherwise deal with various image file types — was, until this update, mishandling TIFF files. Therein hid the weak point. According to Cisco Talos, “a specially crafted TIFF image file can be used to create a heap based buffer overflow and ultimately achieve remote code execution on vulnerable systems and devices.”

The malicious photo could be of anything, so long as it's a TIFF. Even this image!


ImageIO is all over your Apple products, and TIFFs might be, too. A malicious pop-up could have a TIFF, as could a iMessage or MMS. Users don’t even need to open or download a file to be at risk, because in certain applications, like iMessage, ImageIO renders the files on its own, and that’s all it takes.

Many news outlets equated the bug to the so-called Stagefright malware, which was a bona fide Android exploit. But security experts are not convinced that the vulnerability is anything to panic about.

Cisco Talos identified the fact that it could happen, not that it was happening. But it’s still tooting cautionary horns: “As this vulnerability affects both OS X 10.11.5 and iOS 9.3.2 and is believed to be present in all previous versions, the number of affected devices is significant.” So long as you go ahead and update that software, you’ll be fine.

Related Tags