Here’s another entry to add to your list entitled “Reasons Why I should be Running the Latest Versions of Apple’s Operating Systems on my Devices.” A Stagefright-like security hole has been found in iOS, OS X, tvOS, and watchOS. However, the latest versions of all operating systems fix the flaw.
The bug, which is similar to last year’s Stagefright bug which afflicted Android devices, and could allow an attacker access to a device’s stored passwords and files simply by sending a user a malicious image file.
Cisco Talos senior security researcher Tyler Bohan found the critical bug in ImageIO, which is used to handle image data. An attacker could create an exploit – a little program that takes advantage of vulnerabilities – and send it via a multimedia message (MMS) inside a Tagged Image File Format (TIFF). Once received, the hack would launch. The user would have no chance of detecting the attack, which would begin to write code beyond the normal permitted boundaries of an iPhone’s texting tool.
Safari users are also vulnerable to the attack, as all a user would need to do is visit a website containing the malicious code, and the browser itself would parse the exploit, no interaction with the site on the user’s part would be required.
Apple has patched the flaw in its latest versions of the affected operating systems, which were all updated on Monday to the following versions: OS 9.3.3, OS X 10.11.6, tvOS 9.2.2 and watchOS 2.2.2, all of which patch the bug. Apple hasn’t yet released patches for either Mavericks or Yosemite.
As pointed out by MacWorld, this is all simply proof of concept at this stage. No exploits of the flaw have been found in the wild. Additionally, while infection by a malicious webpage was demonstrated by Cisco, MMS and iMessage have so far only been shown to be a potential risk. Cisco hasn’t yet proven that the exploit works in the real world. (Via 9to5Mac)