Wavering about Apple's latest security fix? Don't, says Talos

The very image of a remote exploit

Here's another reason to press “install” on Apple's latest OS X and iOS security patches: a slew of image-handling vulnerabilities.

Now that Apple's released the patched versions, Cisco's Talos researchers have gone public with the details of their contribution to the fixes.

The most serious of the bugs is in TIFF image processing (CVE-2016-4631), since it's the easiest to exploit, and could be practically everywhere, because it's present in “OS X 10.11.5 and iOS 9.3.2 and is believed to be present in all previous versions”.

In some applications, the Apple Image I/O API attempts to render an image without user interaction: that means an attacker can compromise a victim's machine remotely, by sending them a crafted, tiled TIFF to trigger a buffer overflow.

Since image rendering is throughout applications, exploits are almost limitless, but in particular Talos highlights messaging as the attack vector – iMessage, MMS, malicious Web pages, and anything else that uses the I/O API.

The API also has vulnerabilities in handling OpenEXR (a high dynamic range format developed by Industrial Light and Magic) files, designated CVE-2016-4629 and CVE-2016-4630.

A malicious OpenEXR file can trick the API into writing outside the destination buffer; and the same can happen handling B44-compressed data inside OpenEXR files.

The other two bugs are CVE-2016-1850, a problem in how Digital Asset Exchange XML files are handled, and for the nostalgic, even BMP files provide an attack vector (CVE-2016-4637). ®


Biting the hand that feeds IT © 1998–2017