Apple's recent iOS, OS X, tvOS and watchOS updates patch a previously unknown security flaw that allows the surreptitious gathering of sensitive data with a simple text message, an OS-level bug which bears a striking resemblance to last year's much derided Stagefright exploit on Google's Android platform.
Like Stagefright, the iOS vulnerability discovered by Cisco Talos engineer Tyler Bohan involves media files delivered by MMS, specifically specially crafted Tagged Image File Format (TIFF) files that contain nefarious payloads used to trigger buffer overflows.
As described by Bohan, when an infected TIFF file is opened on a target device it triggers a buffer overflow in iMessage, or any other app using Apple's Image I/O API to render the image, allowing for remote code execution. Depending on the malicious file's instruction set, nefarious users might be able to gain access to account logins, passwords and other sensitive information.
Bohan notes the vulnerability is especially dangerous as certain iOS apps, including iMessage, automatically attempt to render TIFF images by default. In such cases, payloads would trigger themselves without user intervention. Safari is also vulnerable, though users need to click on a link or load a malicious webpage to trigger the payload.
Forbes reported on the vulnerability's discovery earlier today.
14 Comments
Wait a f**ing minute. You mean a big similar to android was capable on iOS?
Stagefright is one of the biggest reasons why I defend iOS. Tell me it isn't the same only "similar" in a clickbait manner.
Can it be triggered without opening a message like StageFright?
While exploits that don't require any user intervention are a serious matter, the reason why StageFright was (and continues to be) such a big deal are:
The 1st point is serious because it means that the number of infected users will continue to grow overtime, despite efforts by Google/partners.
The 2nd point is serious as it drew significant attention to the vulnerability and how it worked - enabling many more nefarious actors to implement it
The 3rd point is serious because, unlike iOS, there was a demonstrable outcome to the vulnerability. This is different from iOS as the payload may not have been able to be effective due to other layers of iOS security coming into play (which has significantly limited the scope for damage with other iOS vulnerabilities in the past.)Unlike Android, this is not iOS's first day at the rodeo.