Apple software has flaws that could give attackers access to passwords by sending only one vicious text message. Apple has a patch for the vulnerabilities, available for download beggining this week. The updates do not install automatically; they have to be downloaded and installed.
Cisco Talos, a networking company, discovered the vulnerabilities. According to Craig Williams, their senior technical leader, the flaw is a “high severity issue.” The tech expert was very concerned that an attacker could exploit a victim without any interaction.
ImageIO contains the flaw. ImageIO is a programming interface that writes and reads image data. An attacker could craft an attack by sending booby-trapped MMS to the victim, which would contain malicious code. The code would execute the second the MMS was received. Williams pointed out that iMessage cues the code and continued to explain that email messages and links to websites could deliver the malicious code. These alternative methods would require the actual opening of the image and a visit to the site via Safari Browser for the code to execute.
Such an attack could be fatal as it grants the attacker access to the memory of the device, where the attacker will find stored passwords and login details. Cisco determined that the flaws are present in recent versions of Apple software; iPhone’s iOS, Mac’s OS El Capitan, Apple Watch’s watchOS, and Apple TV’s tvOS.
An attacker could do a lot of harm by sending an infected message to thousands of Apple devices. Such an attack would be similar to Stagefright vulnerabilities that affected Android software a year ago. The Android issue stayed unpatched for longer giving attackers a lot of control over infected devices. Luckily, the Apple software was patched, meaning Apple users can now relax.
You should not wait; update the software on all Apple devices you own immediately. According to Tyler Bohan, the Cisco Talos researcher who discovered the flaw, attackers could have already exploited the vulnerabilities.
There is another reason to update iOS. A Salesforce Engineer also found another flaw in the Apple Software that allows attackers to eavesdrop on FaceTime conversations. The new iOS 9.3.3 patches up this flaw too.
People are often slow to update security patches. Don’t be one of them and as always, get yourself a good VPN.