Apple flaw lets hackers take control of iPhones and Macs with malicious images
Security researchers have discovered a flaw that could allow hackers to take over iPhones and Macs with nothing more than a message.
A vulnerability in Apple’s Image I/O API, which processes images on its mobile devices and Mac computers, means cyber criminals could use a specially-designed TIFF file to cause a buffer overflow and execute malicious code usually blocked by security systems.
The flaw, uncovered by Tyler Bohan of Cisco Talos, can be exploited in any app that uses the API – including messaging apps – often with no user interaction or confirmation. Once active, attackers can gain control of the devices and steal passwords and other sensitive data.
Now Apple users are being advised to update their iPhones, iPads, Apple Watches, Macs and Apple TV devices to patch the vulnerability and secure their products.
“Image files are an excellent vector for attacks since they can be easily distributed over web or email traffic without raising the suspicion of the recipient,” Bohan wrote. “These vulnerabilities are all the more dangerous because Apple Core Graphics API, Scene Kit and Image I/O are used widely by software on the Apple OS X platform.”
Thankfully, a new update from Apple closes the security loophole, and a simple update is all most users need to protect themselves.
“If for some reason you can’t update your iOS device right away, you can minimise your risk by turning off iMessage on your iPhone and disabling MMS messaging,” wrote Intel Security’s Bruce Snell in a blog post.
“This does mean you will only be able to receive text messages, but you will also not be able to receive infected TIFF files that could exploit your system. Bugs like this don’t come around every day, but thankfully Apple’s quick response could help minimise the risk of this one.”