Latest Apple updates have fixed major Stagefright-like security hole in TIFF image handling

macOS Sierra iCloud Drive iPhone iPad Mac image 001

Apple’s OSes suffer from a previously unknown exploit which could allow an attacker to compromise the security of a device by having the user open an unsuspecting TIFF image file. Thankfully, the vulnerability has been patched in the most recent releases of iOS, macOS, watchOS and tvOS.

Resembling the dangerous Stagefright exploit that plagued Google’s Android platform for the better part of last year, the security hole could allow a nefarious user to gather sensitive data from your device as soon as you access a simple text message containing a malicious TIFF image file, Fortune said yesterday.

The vulnerability was first discovered in iOS 9.3.2 and reported to Apple by Cisco Talos engineer Tyler Bohan, who discovered that specially crafted data which contains nefarious payloads saved as BMP, Digital Asset Exchange, OpenEXR or TIFF image files could trigger buffer overflows in Messages.

That in turn lets rogue code execute, potentially opening up a system to remote exploits. Other apps which leverage Apple’s Image I/O API to render images are at risk, too. Safari is also vulnerable, but you must manually click a link or load a malicious webpage to trigger the payload.

According to Apple:

An exploitable heap based buffer overflow exists in the handling of TIFF images on Apple OS X and iOS operating systems. A crafted TIFF document can lead to a heap based buffer overflow resulting in remote code execution.

This vulnerability can be triggered via malicious web page, MMS message, iMessage or a file attachment delivered by other means when opened in applications using the Apple Image I/O API.

On Apple platforms, the vulnerability mostly relies on TIFF images.

That’s because Apple’s OSes in many cases load TIFFs without a user specifically opening a malicious file, like iMessage on iOS. As mentioned above, this worrisome flaw has been patched in iOS 9.3.3, OS X El Capitan 10.11.6tvOS 9.2.2 and watchOS 2.2.2, all of which were released four days ago.

Here is the security content for Apple’s latest updates:

Protective updates for Yosemite and Mavericks had not been released at post time.

If you’re jailbroken on iOS 9.1 or earlier and have no intention of losing your precious jailbreaks to the pressure of remaining secure, install a new free jailbreak tweak, called TIFF Disabler, to protect your devices from this exploit.

Our own Anthony has more on that.

Source: Fortune