A Cisco researcher has highlighted vulnerabilities in iOS, OS X, tvOS, and watchOS. These operating systems are said to be vulnerable to malware that’s been embedded in an image file. The malware, which can allegedly run undetected, allows the attacker to achieve remote code execution on the infected system.
Cisco Talos’ Tyler Bohan said that users could receive the file via MMS or email, or even be exposed to it when it’s placed on a malicious webpage. The remote code execution vulnerabilities were found in the way Apple operating systems access image data using APIs – specifically, Apple Core Graphics API, Scene Kit, and Image I/O.
Image formats that can be used to exploit these vulnerabilities are tiff (tagged image file format), bmp (bitmap), dae (digital asset exchange), and OpenEXR. While the tiff and bmp formats can infect OS X, iOS, watchOS, and tvOS; OpenEXR and dae can infect only OS X machines.
Luckily for users of the above-mentioned Apple operating systems, the Cupertino-based company has patched all the vulnerabilities in the latest versions – iOS 9.3.3, OS X El Capitan v10.11.6, tvOS 9.2.2, and watchOS 2.2.2. If you are currently running a version older than these, it is highly recommended you update to the latest version to avoid the vulnerabilities.
Bohan on the Talos Intelligence blog post described why the vulnerabilities are especially bad. “Image files are an excellent vector for attacks since they can be easily distributed over Web or email traffic without raising the suspicion of the recipient. These vulnerabilities are all the more dangerous because Apple Core Graphics API, Scene Kit and Image I/O are used widely by software on the Apple OS X platform,” he said.