14 DAY TRIAL // Apple has fixed five issues in OS X and iOS that bear a striking resemblance to the famous Stagefright vulnerability found in Android handsets that allows attackers to fully compromise devices via a malicious image.
The vulnerability resides in the way Apple products process certain types of image files. Affected products include OS X, iOS, tvOS, and watchOS.
Vulnerability can be triggered via MMS, Web URLs, IM messages
Tyler Bohan of the Cisco Talos team discovered the issues, which can be exploited by sending a malformed image attached to an email to victims, embedded in a Web page, via iMessages, MMS messages, and all sorts of other applications.
The problem lies in the fact that some Apple products will try to automatically process the image received from the attacker to create and present a thumbnail.
When this happens, the Apple product loses control of how it handles its memory space, and malicious code embedded in the image will execute, allowing the attacker to take the reins of the device.
Even if the remotely executed code runs within the privileges of the compromised application, there are many local privilege escalation issues that can help attackers get admin rights and then execute code with broader access, adding the device to their botnet or installing more intrusive malware.
Vulnerability is almost identical to Stagefright
As you can see, the core issue and the exploitation chain for this bug are almost identical to Stagefright, a severe vulnerability discovered in the Android OS last August, which is the reason Google created the Android Security Bulletin a month later.
According to Bohan's technical write-up, the five issues are found in the way Apple software deals with TIFF images via the Image I/O component (CVE-2016-4631), how it deals with OpenEXR images via the Image I/O component (CVE-2016-4629, CVE-2016-4630), how it deals with DAE (Digital Asset Exchange) in Scene Kit and other apps (CVE-2016-1850), and how it deals with BPM images via the Apple Core Graphics API (CVE-2016-4637).
Apple has put out security updates to fix the above-mentioned issues in iOS 9.3.3, tvOS 9.2.2, watchOS 2.2.2, and El Capitan v10.11.6. Other, non-related security updates are also available for iTunes 12.4.2 for Windows and Safari 9.1.2.