iOS, Mac vulnerabilities allow remote code execution through a single image

Researchers have discovered that image files can bury malware, allowing malicious code access without detection.
Written by Charlie Osborne, Contributing Writer
Roy Zipstein | Apple

Security flaws which affect both Apple iOS and Mac devices permit attackers to grab your passwords and data, researchers claim.

According to researchers from Cisco's Talos, a set of five vulnerabilities, if exploited, could lead to data theft and remote code execution -- which in its worst state may result in device hijacking.

The set of bugs, CVE-2016-4631, CVE-2016-4629, CVE-2016-4630, CVE-2016-1850, and CVE-2016-4637, are all caused by how Apple processes image formats. Apple offers APIs as interfaces for accessing image data, and according to Talos, there are five remote code execution flaws related to this system.

The image files which place Mac and iOS users at risk are .tiff, often used in publishing, OpenEXR, Digital Asset Exchange file format XML files, and BMP images.

The researchers say that the .tiff image processing vulnerability is of particular concern as it can be triggered in any application which uses the Apple API when rendering the images. As a result, an attacker could deliver a malicious payload through a wide range of attack vectors -- including iMessage, malicious web pages, MMS messages, or through malicious email attachments.

The malware avoids detection due to the processing weaknesses, and if exploited, this leads to a heap buffer flow issue which extends to remote code execution.

"Furthermore, depending on the delivery method chosen by an attacker, this vulnerability is potentially exploitable through methods that do not require explicit user interaction since many applications (i.e. iMessage) automatically attempt to render images when they are received in their default configurations," Talos notes.

Apple has patched these vulnerabilities in the latest version of iOS, Mac OS X, tvOS, and watchOS. To stay safe, users should make sure their software is up-to-date.

10 things you didn't know about the Dark Web

Editorial standards