MENU

Stagefright-Like iOS, OS X Vulnerabilities Allow Remote Code Execution: Update Now

Close

Apple iPhones, Macs and other iDevices may be at risk, facing a severe vulnerability similar to the Stagefright bug that ravaged Android. Urgent updates are paramount.

Security experts identified "the worst Android vulnerability ever" last year, and the way in which it infected handsets with malware was as simple as it was effective.

Stagefright, as the liability was aptly named, infected owners' phones without even requiring them to open the infected MMS message.

Researchers at Cisco recently unveiled a similar vulnerability that affects OS X and iOS, making it possible for a hacker to get hold of a user's password and files by simply sending it a spoofed file.

The vulnerability taps into the way in which the Image I/O API handles image files.

"A specially crafted TIFF image file can be used [...] to achieve remote code execution on vulnerable systems and devices," Talos Cisco says.

The fact that the liability makes use of Apple's API, which is intrinsic to a number of different apps, the threat can come from anywhere, from visiting a webpage to getting an iMessage. Just as in the case of Android's Stagefright, users don't have to do anything for the malicious software to start working.

Cisco's team underlines that certain apps, such as iMessage, are tuned to automatically render images when they are received by a device. Keep in mind that the security experts think that the weakness affects both iOS 9.3.2 and OS X 10.11.5, and there is a high chance that all previous versions are also exposed.

Cisco waited for Apple to release a patch before unveiling the details about the security vulnerability. This means that if you are running the latest version of OS on your mobile or non-mobile devices, you should be safe.

Specifically, the patched software includes El Capitan 10.11.6, iOS 9.3.3, watchOS 2.2.2 and tvOS 9.2.2. So far, Apple did not address the problem for OS X Mavericks or Yosemite.

On a brighter note, MacWorld points out that Cisco's work is only a demonstration of what could be if liabilities are left unattended. As Apple patched it, there are no such dangers roaming free, at least for now, if you have the latest update installed.

Cisco managed to showcase how the vulnerability affects OS X, and stated that the similarity with iOS' code might make the mobile device just as exposed to threats. What's more, the security firm did prove that a system could be infected via a malicious website, but no conclusive evidence about MMS or iMessage infection exists.

In May 2015, researchers from the Cisco-led Talos Security Intelligence and Research Group identified another important threat. Dubbed Rombertik, the malware was a deadly virus that was able to entirely crash a computer once it was detected.

ⓒ 2018 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Real Time Analytics