Stagefright-like Exploit Found in Apple Operating Systems

Andrew Orr In the News

A Cisco researcher has discovered a new vulnerability in macOS and iOS. They call the vulnerability Stagefright, and it is dangerous.

Further Reading

6 macOS Tips to Supercharge Your Security

InfoSec 101: How To Boost Your Privacy On iOS

New Mac Malware Found Beware of Backdoor.MAC.Eleanor

Discovered last year, Stagefright was a vulnerability found in Android. A vulnerability is defined as “a mistake in software [programming] that can be directly used by a hacker to gain access to a system or network.” Stagefright infected your Android phone via a simple MMS message. You do not even have to open the message for it to compromise your phone. Once your phone gets the message, it runs the code that gives the hacker complete control over your phone.

Now, it looks like five similar vulnerabilities lurk in iOS, OS X, watchOS, and tvOS. Tyler Bohan of Cisco Talos made the discoveries. The attacker can gain complete access to your device by sending you an image containing the malicious code. Similar to Stagefright for Android it requires no action from you. It can be triggered by anything from opening an iMessage to visiting an infected website.

TALOS-2016-0171

Tagged Image File Format (TIFF) (CVE-2016-4631)

TIFF is an image format that is popularly used by graphic designers and photographers. It is a lossless file format, which means that the images do not get compressed. The vulnerability was found in the method in which the Java Image I/O API parses and handles tiled TIFF image files.

When these images are rendered by apps that use the Image I/O API, a specially-created TIFF file can be used to create a heap-based buffer overflow and give an attacker remote code execution abilities. This means that the attacker can deliver a payload of code that takes advantage of this vulnerability. This particular vulnerability affects devices up to OS X 10.11.5 and iOS 9.3.2.

TALOS-2016-0180 & TALOS-2016-0181

OpenEXR File Format (CVE-2016-4629, CVE-2016-4630)

OpenEXR is another image file format for high dynamic range images. It was developed by Industrial Light and Magic for the visual effects industry. A malicious OpenEXR file could cause the Image I/O API to write the information within the image to the device memory outside of the intended destination buffer.

The Image I/O API has another vulnerability in how it handles B44 compressed data inside OpenEXR files. Similar to the previous vulnerability, these can also let a hacker remotely execute code on the device.

TALOS-2016-0183

Digital Asset Exchange File Format (CVE-2016-1850)

Also known as Collaborative Design Activity files, this is an XML file format that is used to exchange files between digital content creation tools that might otherwise have incompatible file formats. One such example is Apple’s SceneKit, which is a 3D modeling framework that uses DAE files.

It is possible for a hacker to pass a special DAE file to SceneKit to trick it into believing that it is a different file type. Similar to the previous vulnerability, it lets the file use memory that wasn’t intended for it and allows the hacker to execute remote code using elevated privileges.

TALOS-2016-0183 was patched in OS X 10.11.5.

TALOS-2016-0186

BMP File Format (CVE-2016-4637)

BMP file headers contain information about the size, layout, and type of the image. The vulnerability lies in the way that the height property of the image is handled. When a hacker creates a special BMP file, saves and reopens it, part of the size information can then be changed. This causes a remote code execution exploit when the BMP file is opened in any app that uses the Apple Core Graphics API.

Known Vulnerable Versions

TALOS-2016-0171

OS X Mavericks 10.9.5, OS X Yosemite 10.10.5, OS X El Capitan 10.11.5

iOS 9.3.2, watchOS 2.2.1, tvOS 9.2.1

TALOS-2016-0180 & TALOS-2016-0181

OS X Mavericks 10.9.5, OS X Yosemite 10.10.5, OS X El Capitan 10.11.5

TALOS-2016-0183

OS X El Capitan 10.11.4 (patched in 10.11.5)

TALOS-2016-0186

OS X Mavericks 10.9.5, OS X Yosemite 10.10.5, OS X El Capitan 10.11.5

iOS 9.3.2, watchOS 2.2.1, tvOS 9.2.1