Security researchers have discovered a flaw that could allow hackers to take over iPhones and Macs with nothing more than a message.

A vulnerability in Apple’s Image I/O API, which processes images on its mobile devices and Mac computers, means cyber criminals could use a specially-designed TIFF file to cause a buffer overflow and execute malicious code usually blocked by security systems.

The flaw, uncovered by Tyler Bohan of Cisco Talos, can be exploited in any app that uses the API – including messaging apps – often with no user interaction or confirmation. Once active, attackers can gain control of the devices and steal passwords and other sensitive data.

Now Apple users are being advised to update their iPhones, iPads, Apple Watches, Macs and Apple TV devices to patch the vulnerability and secure their products.

“Image files are an excellent vector for attacks since they can be easily distributed over web or email traffic without raising the suspicion of the recipient,” Bohan wrote. “These vulnerabilities are all the more dangerous because Apple Core Graphics API, Scene Kit and Image I/O are used widely by software on the Apple OS X platform.”

Thankfully, a new update from Apple closes the security loophole, and a simple update is all most users need to protect themselves.

“If for some reason you can’t update your iOS device right away, you can minimise your risk by turning off iMessage on your iPhone and disabling MMS messaging,” wrote Intel Security’s Bruce Snell in a blog post.

“This does mean you will only be able to receive text messages, but you will also not be able to receive infected TIFF files that could exploit your system. Bugs like this don’t come around every day, but thankfully Apple’s quick response could help minimise the risk of this one.”

You may also like...

Keep Up To Date - Subscribe To Our Email Newsletter Today

Get the latest industry news direct to your inbox on all your devices.

We may use your information to send you details about goods and services which we feel may be of interest to you. We will process your data in accordance with our Privacy Policy as displayed on our parent website