Just a year ago vulnerabilities in Android allowed hackers to quietly spy on nearly a billion phones with one specially-crafted text. iPhone owners should now take note: a security researcher today warned there are comparable vulnerabilities to those Stagefright bugs in iOS allowing completely silent, almost undetectable password theft from iPhones. Apple AAPL +0.05% has patched the flaws in iOS 9.3.3, however, and users have been advised to update as soon as they can.
Cisco Talos senior security researcher Tyler Bohan found the critical bug in ImageIO, which is used to handle image data. An attacker could create an exploit – a little program that takes advantage of vulnerabilities – and send it via a multimedia message (MMS) inside a Tagged Image File Format (TIFF). Once received, the hack would launch. The user would have no chance of detecting the attack, which would begin to write code beyond the normal permitted boundaries of an iPhone’s texting tool.
The attack could also be delivered over Safari; all that would be required would be for the user to visit a website containing the malicious code and for the browser to parse the exploit. No interaction with the site would be required.
Bohan described the issue as “an extremely critical bug, comparable to the Android Stagefright as far as exposure goes.” “The receiver of an MMS cannot prevent exploitation and MMS is a store and deliver mechanism, so I can send the exploit today and you will receive it whenever your phone is online,” he added.
A major Apple OS vulnerability
Once executed, the exploit could leak authentication credentials stored in memory to the attacker. FORBES believes these include Wi-Fi passwords and any credentials the target is using in the browser, such as website and email logins. A hacker would need a further iOS jailbreak or root exploit to take total control of the phone, however. That’s because iOS enjoys sandbox protection, which prevents hackers exploiting one part of the operating system to own the whole thing.
The bugs uncovered by Bohan work across all widely-used Apple operating systems, however, including Mac OS X, tvOS and watchOS. Indeed, Bohan noted that Mac OS X doesn’t have sandboxing, giving an attacker remote access to the PC with the victim’s passwords. That potentially makes it a more severe threat to owners of Apple’s PCs, as a simple email could prize Macs open.
Users should patch now, as it wouldn’t take long for criminals to find a way to take advantage of the weaknesses now they’re known. “Exploitation wise, Talos estimates there is about a two-week effort to get from the information we disclosed publicly to a fully working exploit with a decent amount of reliability,” Bohan added.
He also found memory corruption issues in iOS’ CoreGraphics, which helps render 2D graphics across those OSes. Another serious flaws patched by Apple this week resided in FaceTime, permitting anyone on the same network as a user to spy on their conversations. As per Apple’s description, “an attacker in a privileged network position may be able to cause a relayed call to continue transmitting audio while appearing as if the call terminated.” Martin Vigo, a security engineer at Salesforce, uncovered the bug.
Tips and comments are welcome at TFox-Brewster@forbes.com or firstname.lastname@example.org for PGP mail. Get me on Twitter @iblametom and email@example.com for Jabber encrypted chat.