Apple Patches Stagefright-Like Bug In IOS

Reader Trailrunner7 writes: Apple has fixed a series of high-risk vulnerabilities in iOS, including three that could lead to remote code execution, with the release of iOS 9.3.3. One of those code-execution vulnerabilities lies in the way that iOS handles TIFF files in various applications (Alternate source: Fortune ). Researchers at Cisco's TALOS team, who discovered the flaw, said that the vulnerability has a lot of potential for exploitation. "This vulnerability is especially concerning as it can be triggered in any application that makes use of the Apple Image I/O API when rendering tiled TIFF images. This means that an attacker could deliver a payload that successfully exploits this vulnerability using a wide range of potential attack vectors including iMessages, malicious web pages, MMS messages, or other malicious file attachments opened by any application that makes use of the Apple Image I/O API for rendering these types of files," Cisco TALOS said in a blog post.

So close

TIFF file exploiting was ImageTragick - not StageFright. Aren't the cute little media-friendly names descriptive enough for you?

Re:So close

[campuscodi]

Stagefright also works via images. The author is not wrong.

I Get Stage Fright!

in the rat race of every day life!

Re:I Get Stage Fright!

in the rat race of every day life!

becasue you have a small dilz???

Re:I Get Stage Fright!

Small, it may be, but it's a satin peacock.

Re:The fix for Apple flaws

lol seems somebody forgot to check the [] post anonymously box.

ANOTHER UNPATCHED BUG FOUND

Apple is known to have a high risk of homosexuality.

The only way to plug the hole is dildos.

Sandboxing?

[rsmith-mac]

Perhaps I've just missed this in the reports, but is there any analysis on how this is impacted by sandboxing?

Apple tends to keep things pretty locked down and isolated, and while Stagefright was a Go Directly to Root kind of exploit, I'm curious whether this has the same risk. Can a bad TIFF file delivered via iMessage actually break out of iMessage? "Ultimately, an attack could give a hacker access to portions of a computerâ(TM)s memory" is not very descriptive here.

Side note: why the heck is anyone still supporting TIFF as a built-in image format. The TIFF standard is so complex that it has been the source of an innumerable number of security exploits over the years. It's a very risky format to support for exactly this reason.

Re:Sandboxing?

[AHuxley]

It would be interesting thought for DRM and an OS. Remove the DRM and the quality "image" with code is used in the unprotected copy as its part of the new free file. The free copy is then opened and OS and code access to the wider OS is granted to phone home.

As for why, maybe the OS likes a format thats well understood to ensure a set look and feel over desktop, apps, phones.
A more lossy format might change over different hardware and software. With a push for publish once from any device, some image files might have layout options that are more useful and have been created from a TIFF.
Photography support for an image as captured. Applications might like to edit a full color image, not just a created jpeg or other format. i.e. a RAW format export to full size, color "unprocessed" TIFF that can then be worked on with hardware, software and full OS support.

Re:Sandboxing?

[AmiMoJo]

Why isn't this getting more coverage? When it's Android everyone shits themselves, even though the danger isn't really that great. When it's Apple, it's largely ignored even though the risk seems to be far greater.

Re:Sandboxing?

[Plumpaquatsch]

Why isn't this getting more coverage? When it's Android everyone shits themselves, even though the danger isn't really that great. When it's Apple, it's largely ignored even though the risk seems to be far greater.

Because it was just reported. And has already been fixed. And everybody can download the patch now and not only in a couple of months, if at all. And isn't used in the wild. And still gets wide press coverage despite your claim.

You can start complaining if after 2 months it becomes clear that the fix (which hasn't reached most devices yet) only fixes some of the problems.

Re:Sandboxing?

[AmiMoJo]

Google fixed it right away too, and then pushed the patch out via Play to everyone, and added detection if the exploit to the built in scanner for non-Play apps.

Re:Sandboxing?

[Plumpaquatsch]

Google fixed it right away too, and then pushed the patch out via Play to everyone, and added detection if the exploit to the built in scanner for non-Play apps.

Actually, they had already fixed it two months before, but waited to tell the public until at least some devices where actually fixed. And then they fixed a very similar bug again two months later. And then most devices still didn't even have the first patch. Don't try to kid me, stick to your own illusions.

Re:Sandboxing?

[trparky]

I don't understand how Google could have fixed this. You say that it was pushed via Google Play but how? It's a system-level binary, Google can't touch that; only an update from your particular Android OEM can fix this via an OTA update.

Oh oh, Google can push this or that via the Google Play services. WRONG! Google can update their own stuff, yes, I'm not denying that but if it's a system-level binary (like Stagefright) or kernel-related Google can't do shit about it! Meanwhile you have to sit and wait for your Android OEM to decide to grace your device with an OTA update to fix it all the while your device is vulnerable to whatever the exploit is.

Re: Sandboxing?

Actually, if you even bothered to use an android device, you would know that Android devices can update apps over the play store.

Even if it couldn't touch the actual vulnerability, the browser, instant messaging, file manager, WebView (the way 3rd party apps launch mini web browser) or even put an app that overrides the TIFF handling intent.

Patching the ways to exploit an app is just as good until the vulnerability is handled.

Are all older devices left vulnerable?

What happens to those older devices, which can not be updated to latest IOS? Such devices are still sold as new in stores to clueless customers.

Re:Are all older devices left vulnerable?

[Plumpaquatsch]

What happens to those older devices, which can not be updated to latest IOS? Such devices are still sold as new in stores to clueless customers.

The ones where the bug isn't found? They will have to live with the fact that they where never vulnerable

Re:Are all older devices left vulnerable?

[trparky]

What devices aren't supported by iOS 9?

The following devices are supported by iOS 9...
* iPad 2 (Released March 11, 2011, five years ago)
* iPad 3 (Released March 16, 2012, four years ago)

* iPad 4 (Released November 2, 2012, four years ago)
* iPad Air (Released November 1, 2013, three years ago)
* iPad Air 2 (Released October 22, 2014, two years ago)
* iPad mini (Released November 2, 2012, four years ago)
* iPad mini 2 (Released November 12, 2013, three years ago)
* iPad mini 3 (Released October 22, 2014, two years ago)
* iPad mini 4 (Released September 9, 2015, one year ago)
* iPhone 4s (Released October 14, 2011, five years ago)
* iPhone 5 (Released Sept. 21, 2012, four years ago)
* iPhone 5c (Released September 20, 2013, three years ago)
* iPhone 5s (Released September 20, 2013, three years ago)
* iPhone 6/6 Plus (Released September 19, 2014, two years ago)
* iPhone 6s/6s Plus (Released September 25, 2015, one year ago)

The oldest devices, the iPad 2 and iPhone 4s are still supported, five years later! Amazing, absolutely amazing! Whereas most Android OEMs give up on older devices after only a year because it's just too damn profitable to sell you a new device instead.

Re: Are all older devices left vulnerable?

Do they have all the same features? It's not really an update if they're arbitrarily restricting features and components.

They had no issues excluding code assistants.

At best, those are 7.x not 9. I also hope the device doesn't become slow as shit because they never provided enough hardware - RAM and resources despite charging the most. As usual, taking advantage of the nontechies.

What about iOS 7 and iOS 8?

Why exactly do I need to be on the upgrade bandwagon to receive critical updates for otherwise defective software?

I've got a few handhelds still running iOS 6. The others are running iOS 7. I have no desire to upgrade them at all because: A) they're not that old, and B) the more recent versions of iOS slow down the devices considerably.

So my choice is now between having a secure and slow (to the point of being unusable in some cases) device, or a fast and insecure device?

What the fuck happened to actually supporting software for more than a few years? Why do I need to upgrade everything (potentially changing the way I interact with the device- and in the case of Apple, requiring a whole new OS on my computer as well just to sync with everything) just to get critical security updates?