Do you remember Stagefright?
It one of the biggest Android security scares of
2015, after it was discovered that a critical bug in the operating system’s
Mediaserver could mean that simply opening an email, browsing a website or
receiving a media file via MMS could result in malicious code being run on your
Android device.
Many millions of Android devices were thought to be
vulnerable, and it was such a big deal that it stirred Google into getting more
serious about how it would patch and roll-out updates to users in future.
Of course, if you were an iPhone user you couldn’t
help but feel pretty smug about things.
Well, if you haven’t already done so, it’s time to
wipe the smirk off your face.
Because now owners of iPhones, iPads, iMacs and
MacBooks are facing their own Stagefright-like bug.
Earlier this week, Apple released patches for
numerous security holes in its OS X and iOS operating systems, including five
vulnerabilities that bear a chilling resemblance to Stagefright.
Just as with Stagefright, which haunted Android
users, the attack works because of exploitable bugs in how Apple iPhones and
Macs process image files to render a thumbnail. Vulnerabilities in that
thumbnail rendering code can be exploited by a maliciously-crafted image file
(including BMP and TIFF format files) to achieve remote code execution on the
targeted device.
In short, a malicious hacker could email a
malformed TIFF to you, or direct you to a webpage where one is embedded, or
simply send it directly to your phone via MMS if they knew your number.
Whatever route they took, if an attacker managed to trick your computer into
rendering the malformed image, your Mac computer or smartphone would be in
danger.
The exploitable flaws were discovered by researchers at Cisco’s Talos
team, who noted that boobytrapped image files “are an excellent vector for
attacks since they can be easily distributed over web or email traffic without
raising the suspicion of the recipient.”
The good news is that Apple issued fixes for the
problem earlier this week. If you have already updated your systems to iOS
9.3.3, tvOS 9.2.2, watchOS 2.2.2, and El Capitan v10.11.6 then you have done
the right thing.
The further good news is that Apple users typically
have a much easier time of installing updates for their chosen devices than
many of their Android cousins.
Maybe you can afford to look a little bit smug
after all… Just make sure that all your devices are patched before online
criminals attempt to take advantage of this flaw.