1 min read

iOS Vulnerability Allows Remote Code Execution Triggered by Image Files

Liviu ARSENE

July 25, 2016

iOS Vulnerability Allows Remote Code Execution Triggered by Image Files

A vulnerability in the way Apple iPhone, iPad, Apple Watch, Mac or Apple TV software processes images could allow attackers to gain full control over devices by sending victims malicious Tagged Image File Format (TIFF) files.

Triggering a buffer overflow in Apple”s Image I/O API, an attacker could allegedly run their own malicious code on the device and potentially gain access to information stored on the gadget. With some applications using the Image I/O API to automatically render images, the vulnerability is considerably more dangerous as it might not even require user interaction.

“This vulnerability is especially concerning as it can be triggered in any application that makes use of the Apple Image I/O API when rendering tiled TIFF images,” said Tyler Bohan from security firm Cisco Talos. “Depending on the delivery method chosen by an attacker, this vulnerability is potentially exploitable through methods that do not require explicit user interaction since many applications (ie iMessage) automatically attempt to render images when they are received in their default configurations.”

Filed as CVE-2016-4631, it”s estimated that the vulnerability could affect all iOS versions prior to 9.3.3, as Apple”s support page states the latest update contains a fix for the issue. However, it”s only available for iPhone 4s and later, iPod touch (5th generation) and later, and the iPad 2 and later.

Since the vulnerability is difficult to detect, everyone is strongly encouraged to update their Apple software to its latest version. While there have been no reports of in-the-wild attacks exploiting this vulnerability, unpatched devices will be vulnerable to this type of attack.

tags


Author



Right now

Top posts

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Supply Chain Attack Detected in PyPI Library Supply Chain Attack Detected in PyPI Library
Silviu STAHIE

August 02, 2021

1 min read
Scam baiter Jim Browning bamboozled by scammers into deleting his own YouTube channel Scam baiter Jim Browning bamboozled by scammers into deleting his own YouTube channel
Filip TRUȚĂ

August 02, 2021

3 min read
Instagram influencer Hushpuppi admits his part in scams that stole more than $24 million Instagram influencer Hushpuppi admits his part in scams that stole more than $24 million
Graham CLULEY

July 30, 2021

2 min read