The comparison to Stagefright at first seemed reasonably apt, but after scratching the surface, there’s only a coarse similarity. Stagefright affects versions of Android starting with 2.2, released in 2011, and swept in several hundred million Android phones, tablets, and other devices. Hundreds of millions of Android phones haven’t been patched to protect against Stagefright and many are well past any security upgrade cycle. (Stagefright was partly mitigated by updates to Google’s Hangouts and Messenger apps.)
However, even though Talos implemented an attack against Safari and OS X, as noted above, the MMS and iMessage vectors remain to be proven. Delivering malicious web content, even via phishing or webpage content hijacking, has a slimmer profile than multimedia messaging.
There can also be a large gap between theoretical and practical that can keep even severe exploits from turning into widespread vectors for malware, even when effective proofs of concept exist. As security firm Sophos noted on its blog post about the bugs, “Not all vulnerabilities can be turned into working exploits, where crooks can send deliberately-crafted files that not only crash the offending code but also wrangle control from it in the process.”
Without knowing how well and rapidly these flaws can be exploited and used to deliver payloads, the “businesses” that develop malware may not invest the time and research. (Governments and contractors may still pursue these angles as part of a toolkit to compromise specific targets, whether individuals, companies, or foreign agencies.)
Dan Guido, CEO of security firm Trail of Bits, noted on Reddit a number of issues that make it difficult to execute malicious code in iOS, as well as pointing out pathways that exist in Android and are absent in iOS. Bohan responded in the same Reddit thread with additional technical detail.
Nonetheless, given the percentage of Apple users on current versions of OS X and the speed at which Apple users update iOS, tvOS, and watchOS, the number of users that will remain open as a target are relatively small. Even if Apple fails to patch 10.9 and 10.10, that’s a small and shrinking percentage of OS X users. According to Net Applications browser-based analysis, almost three times as many OS X users run 10.11 El Capitan as 10.10 Yosemite, while 10.9 Mavericks users are less than a third of the installed Yosemite base.
Sign up for Computerworld eNewsletters.