An error in the Apple software’s handling of images allegedly permits hackers to gain access to an iPhone, iPad, Apple Watch, Mac or Apple TV with a seemingly harmless iMessage or email.
The flaw in Apple’s picture-handling Image I/O API means that a malicious Tagged Image File Format (TIFF) file can cause a so-called buffer overflow, which makes it easy for a hacker to override Apple’s security and run their own code on the device.
“This vulnerability is especially concerning as it can be triggered in any application that makes use of the Apple Image I/O API when rendering tiled TIFF images,” said Tyler Bohan from security firm Cisco Talos.
“Depending on the delivery method chosen by an attacker, this vulnerability is potentially exploitable through methods that do not require explicit user interaction since many applications (ie iMessage) automatically attempt to render images when they are received in their default configurations,” he added.
Most apps on, say, an iPhone, use the Image I/O API to render pictures, including Messages, MMS, Safari, Mail and others, making them susceptible to attacks.
If the image is viewed either automatically or manually, the attacker can gain full access to the device, steal passwords and other information; all without the user having a clue.
Apple released iOS 9.3.3, OS X 10.11.6, tvOS 9.2.2 and watchOS 2.2.2 software updates to amend this bug and a few others on Monday, but the users who have yet not updated are still open to attacks.
The iOS 9.3.3 update is unavailable for the iPhone 4 and older devices, which puts them at risk. There are over 1 billion iOS gadgets around the globe, all of which are vulnerable to this security break unless updated.
Android previously faced two similar security flaws known as Stagefright and Stagefright 2, which affected nearly a billion devices, worsened by the fact that the updates required to fix the hole were not released promptly by smartphone manufacturers and mobile phone networks.