One of the biggest Android security scares of 2015 called Stagefright has made its way to the Apple world. The Stagefright malware was a critical bug in the operating system’s Mediaserver, which allowed malicious code on an Android device if the user opened an email, received a media file, or browsed to a an infected website.
This vulnerability has now been found in Apple products. Earlier last week, Apple issued a patch for a new security exploit that could let a hacker take over a device simply by having a victim view a single image. The patch repaired five vulnerabilities, one of which resembled the Stagefright virus.
What is the threat?
A remote hacker could execute malware code on your device by getting you to view photo by texting, emailing, or getting you to browse an infected website. By spoofing a known phone number, for example, you might not recognize that the picture was from a hacker and contained malware.
Hackers can email a malformed TIFF image to you (or direct you to a webpage where one is embedded) or simply send it directly to your phone via SMS. If an attacker managed to direct you to a website with a malformed image, your Apple device could be in danger.
The attack is possible because of exploitable bugs in how Apple iPhones and Macs process image files to render a thumbnail. Those vulnerabilities can be exploited by a maliciously-crafted image file (in BMP or TIFF format) to achieve remote code execution on the targeted device.
How to stay safe?
According to Apple’s website, the patched flaw impacts image data handler ImageIO, meaning hardware running older versions of iOS, OS X, tvOS and watchOS are at risk. Luckily, Monday July 18th, Apple released a patch for iOS 9.3.3, OS X 10.11.6, tvOS 9.2.2 and watchOS 2.2.2, all of which patch the bug.
Here is how you do it: Settings > General > Software Update. Tap “Download” and “Install.” To update your desktop or laptop OS, click on the “Apple” menu and select “Software Update.”
Stay safe by keeping up to date on cybersecurity news as well as learn other cybersecurity must-dos at the Azstec Cybersecurity Center.