Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Patches Stagefright-Like Bug In IOS (fortune.com)

Posted by msmash on from the security-woes dept.

Reader Trailrunner7 writes: Apple has fixed a series of high-risk vulnerabilities in iOS, including three that could lead to remote code execution, with the release of iOS 9.3.3. One of those code-execution vulnerabilities lies in the way that iOS handles TIFF files in various applications (Alternate source: Fortune ). Researchers at Cisco's TALOS team, who discovered the flaw, said that the vulnerability has a lot of potential for exploitation. "This vulnerability is especially concerning as it can be triggered in any application that makes use of the Apple Image I/O API when rendering tiled TIFF images. This means that an attacker could deliver a payload that successfully exploits this vulnerability using a wide range of potential attack vectors including iMessages, malicious web pages, MMS messages, or other malicious file attachments opened by any application that makes use of the Apple Image I/O API for rendering these types of files," Cisco TALOS said in a blog post.

10 of 23 comments (clear)

  1. Re:So close by campuscodi · · Score: 1

    Stagefright also works via images. The author is not wrong.

  2. Sandboxing? by rsmith-mac · · Score: 2

    Perhaps I've just missed this in the reports, but is there any analysis on how this is impacted by sandboxing?

    Apple tends to keep things pretty locked down and isolated, and while Stagefright was a Go Directly to Root kind of exploit, I'm curious whether this has the same risk. Can a bad TIFF file delivered via iMessage actually break out of iMessage? "Ultimately, an attack could give a hacker access to portions of a computerâ(TM)s memory" is not very descriptive here.

    Side note: why the heck is anyone still supporting TIFF as a built-in image format. The TIFF standard is so complex that it has been the source of an innumerable number of security exploits over the years. It's a very risky format to support for exactly this reason.

    1. Re:Sandboxing? by AHuxley · · Score: 1

      It would be interesting thought for DRM and an OS. Remove the DRM and the quality "image" with code is used in the unprotected copy as its part of the new free file. The free copy is then opened and OS and code access to the wider OS is granted to phone home.

      As for why, maybe the OS likes a format thats well understood to ensure a set look and feel over desktop, apps, phones.
      A more lossy format might change over different hardware and software. With a push for publish once from any device, some image files might have layout options that are more useful and have been created from a TIFF.
      Photography support for an image as captured. Applications might like to edit a full color image, not just a created jpeg or other format. i.e. a RAW format export to full size, color "unprocessed" TIFF that can then be worked on with hardware, software and full OS support.

      --
      Domestic spying is now "Benign Information Gathering"
    2. Re:Sandboxing? by AmiMoJo · · Score: 1

      Why isn't this getting more coverage? When it's Android everyone shits themselves, even though the danger isn't really that great. When it's Apple, it's largely ignored even though the risk seems to be far greater.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:Sandboxing? by Plumpaquatsch · · Score: 1

      Why isn't this getting more coverage? When it's Android everyone shits themselves, even though the danger isn't really that great. When it's Apple, it's largely ignored even though the risk seems to be far greater.

      Because it was just reported. And has already been fixed. And everybody can download the patch now and not only in a couple of months, if at all. And isn't used in the wild. And still gets wide press coverage despite your claim.

      You can start complaining if after 2 months it becomes clear that the fix (which hasn't reached most devices yet) only fixes some of the problems.

      --
      Of course news about a fake are Fake News.
    4. Re:Sandboxing? by AmiMoJo · · Score: 1

      Google fixed it right away too, and then pushed the patch out via Play to everyone, and added detection if the exploit to the built in scanner for non-Play apps.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    5. Re:Sandboxing? by Plumpaquatsch · · Score: 1

      Google fixed it right away too, and then pushed the patch out via Play to everyone, and added detection if the exploit to the built in scanner for non-Play apps.

      Actually, they had already fixed it two months before, but waited to tell the public until at least some devices where actually fixed. And then they fixed a very similar bug again two months later. And then most devices still didn't even have the first patch. Don't try to kid me, stick to your own illusions.

      --
      Of course news about a fake are Fake News.
    6. Re:Sandboxing? by trparky · · Score: 1

      I don't understand how Google could have fixed this. You say that it was pushed via Google Play but how? It's a system-level binary, Google can't touch that; only an update from your particular Android OEM can fix this via an OTA update.

      Oh oh, Google can push this or that via the Google Play services. WRONG! Google can update their own stuff, yes, I'm not denying that but if it's a system-level binary (like Stagefright) or kernel-related Google can't do shit about it! Meanwhile you have to sit and wait for your Android OEM to decide to grace your device with an OTA update to fix it all the while your device is vulnerable to whatever the exploit is.

  3. Re:Are all older devices left vulnerable? by Plumpaquatsch · · Score: 1

    What happens to those older devices, which can not be updated to latest IOS? Such devices are still sold as new in stores to clueless customers.

    The ones where the bug isn't found? They will have to live with the fact that they where never vulnerable

    --
    Of course news about a fake are Fake News.
  4. Re:Are all older devices left vulnerable? by trparky · · Score: 1
    What devices aren't supported by iOS 9?

    The following devices are supported by iOS 9...
    * iPad 2 (Released March 11, 2011, five years ago)
    * iPad 3 (Released March 16, 2012, four years ago)

    * iPad 4 (Released November 2, 2012, four years ago)
    * iPad Air (Released November 1, 2013, three years ago)
    * iPad Air 2 (Released October 22, 2014, two years ago)
    * iPad mini (Released November 2, 2012, four years ago)
    * iPad mini 2 (Released November 12, 2013, three years ago)
    * iPad mini 3 (Released October 22, 2014, two years ago)
    * iPad mini 4 (Released September 9, 2015, one year ago)
    * iPhone 4s (Released October 14, 2011, five years ago)
    * iPhone 5 (Released Sept. 21, 2012, four years ago)
    * iPhone 5c (Released September 20, 2013, three years ago)
    * iPhone 5s (Released September 20, 2013, three years ago)
    * iPhone 6/6 Plus (Released September 19, 2014, two years ago)
    * iPhone 6s/6s Plus (Released September 25, 2015, one year ago)

    The oldest devices, the iPad 2 and iPhone 4s are still supported, five years later! Amazing, absolutely amazing! Whereas most Android OEMs give up on older devices after only a year because it's just too damn profitable to sell you a new device instead.