Earlier this year, Cisco’s Talos division reported significant image-processing bugs to Apple, one of which could allow attackers to inject malware or remotely execute code via “iMessages, malicious webpages, MMS messages, or other malicious file attachments opened by any application.”
These flaws were patched in Apple’s current operating systems in its July 18 update. Some media outlets immediately dubbed this Apple’s “Stagefright,” referring to a severe Android flaw discovered a year ago that could access or hijack an Android phone via an MMS message. But the details don’t support this level of concern, despite the seeming severity of the flaws.
Talos found that maliciously constructed data saved as BMP, Digital Asset Exchange, OpenEXR, and TIFF image files could outwit the operating and allow code to be written and executed, including opening up a system to remote exploits. The ancient lossless image format TIFF using, however, is the worst culprit as Apple’s OSes will access a TIFF image to render a format in many cases without a user specifically opening a malicious file.
While much coverage of this bug focused on the MMS and iOS angle, Talos only created a proof of concept for exploiting the TIFF flaw via malicious webpages. Tyler Bohan, Talos’ senior security researcher credited with reporting these bugs, says via email that Talos was able to create a proof of concept to exploit this vulnerability on OS X in Safari, and presented the results at the SummerCon hacker convention in New York earlier this month. The report is available for download.
Bohan says they bypassed some of OS X’s protections against arbitrary code execution through address space layout randomization (ASLR), allowing his team to examine and control where malicious delivered code could run. He says because of similarities between iOS and OS X, “the work being done on OS X should port similarly to the browser on iOS.”
Other pathways to trigger the TIFF bug haven’t yet been shown to execute code. “iOS is also exposed to attack via iMessage, and can give the attacker code execution if the platform mitigations are bypassed, however more research is needed to prove this is achievable through the MMS/iMessage vector,” he says.
A window of exploitation rapidly shutting
The TIFF flaw affects unpatched current releases of every Apple OS: iOS 9, tvOS 9, watchOS 2, and OS X 10.11 El Capitan, as well as 10.9 Mavericks and 10.10 Yosemite. The other four affect various combinations of those releases and requires more direct interaction to trigger. Talos used industry-standard responsible disclosure policies to provide the details to Apple ahead of time, and Apple released a set of updates for current OSes, but at this writing hasn’t produced security fixes for Mavericks or Yosemite.
Sign up for Computerworld eNewsletters.