IOS, Mac vulnerabilities allow remote code execution through a single image

This week, Apple patched tens of vulnerabilities in OS X and iOS, including four security holes which the Cisco Talos experts discovered. The latest version of OS X is El Capitan 10.11.6, and it is compatible with most Mac laptops and desktops dating back to mid-2007.

OpenEXR’s exploit involves using the flexibility of the image format, which was developed by Industrial Light and Magic, to make Apple Image I/O write image information outside the designated memory buffer.

This vulnerability is especially concerning as it can be triggered in any application that makes use of the Apple Image I/O API when rendering tiled TIFF images.

The vulnerability is similar to an Android Stagefright flaw that allowed hackers to infect up to one billion smartphones through a corrupt video file. And iOS users need to get the 9.3.3 update installed right away. The remote code execution vulnerabilities were found in the way Apple operating systems access image data using APIs – specifically, Apple Core Graphics API, Scene Kit, and Image I/O. However, your iPhone might not immediately notify you of the update’s availability.

On most devices, the update will pop up when you turn it on, but many people dismiss updates for weeks.

At the same time, Android is still inherently less secure than Apple’s iPhone, as not every Android smartphone received fixes for bugs like Stagefright. The updates should be available now and will automatically download and prompt to install for the majority of users.

‘As this vulnerability affects both OS X 10.11.5 and iOS 9.3.2 and is believed to be present in all previous versions, the number of affected devices is significant’.

So: if you have an iPhone or iPad, please get it on iOS 9.3.3 as soon as possible.

The good news is that Apple did patch the image exploit before it had a chance to become more than a proof of concept, and the Talos crew waited until the patch was out to publish their findings.

Talos says that an attacker can deliver payload for launching the vulnerability by using MMS messages, iMessages, malicious webpages, or other file attachments that are malicious.