Apple’s iOS just had its own Android Stagefright moment.
Among a thicket of important Apple patches released on 24 October 2016, iOS 10.1 fixes a serious memory corruption flaw that could allow an attacker to take control of an iPhone or iPad simply by getting a user to view a booby-trapped JPEG file.
Labelled CoreGraphics (CVE-2016-4673) in Apple’s update list, the patch is available for Apple devices from the iPhone 5, iPad 4, and iPod Touch 6th generation and later, and has also been fixed for watchOS and macOS in separate patches.
As Apple describes it:
Impact: Viewing a maliciously crafted JPEG file may lead to arbitrary code execution
Description: A memory corruption issue was addressed through improved memory handling.
This CoreGraphics bug bears a passing resemblance to the Stagefright vulnerabilities, a clutch of secuity holes in Android’s core media-playing engine back in 2015.
Stagefright could, in theory, have put an attacker in control simply by the user receiving and automatically opening a malicious MMS message.
In theory, Apple’s CoreGraphics security issue isn’t that far removed from Android’s SNAFU – you could end up hijacked simply by reading a message or opening an image file on your iPhone.
The moral?
Mobile platforms aren’t terribly different to one another these days. They all run software that does similar things, and their programmers make similar mistakes.
More bugs
Elsewhere, macOS Sierra 10.12.1 gets a pile of fixes, including its own fix for the CoreGraphics image-handling bug described above.
Others patched fix a password-handling flaw that would allow an attacker to observe password length (CVE-2016-4670), a denial of service glitch in Nvidia graphics drivers (CVE-2016-466), and a remote code execution flaw (CVE-2016-4667) that could be triggered by a booby-trapped font file.
Two of these flaws arrived at Apple courtesy of Google’s Project Zero, another sign of how integrated the bug-hunting world is becoming.
A final standout is the Apple FaceTime vulnerability (CVE-2016-4635) that could allow an attacker to eavesdrop by keeping open an audio stream after showing the user it has ended. This was fixed earlier this summer for older iOS and OS X versions of Apple products.
Other bits of Apple’s sprawling product world get attention, too.
AppleTV gets an update to tvOS 10.0.1 to fix 11 issues, the Apple Watch watchOS 3.1 has eight patches, and Safari gets two.
Apple users can get these fixes by visiting iTunes or by checking the App Store. Apple TV updates can be downloaded through Settings | General | Update Software, while the Apple Watch receives them via an iPhone.
As the sages of Sophos like to say: patch early, patch often!
Image by ymgerman / Shutterstock.com
tartanrose
Thanks for this informative article.
I have a question that I hope can be answered. What happens with those that suddenly find themselves with older devices……….those who have iPads using 9.3.5 for instance who were not included in the major update to IOS 10.
I’ve always been diligent about update, update often ………..but suddenly you find your equipment is Out of Date. Maybe the idea I guess is an update of a different kind!
A bit sad for those not so cashed up who are still feeling happy to have an iPad in the first place!
But I guess what I need to know is can I keep using my 9.3.5
But thank you for all the good work done at Sophos.
Rosie
RichardD
So presumably those of us stuck with an iPhone 4 are out of luck? No sign of a fix for iOS 9 yet.
pokecaptain
Apple does not push fixes for older iOS devices. If your device cannot upgrade to the next major version, it will receive no further updates whatsoever. Consider your iPhone 4 insecure and upgrade it.
Wilderness
Apple would be happy to sell you a new phone :-)
Steve
Looks like somebody forgot their closing font tags, so the rest of the page, following that “patch early, patch often” advice, appears in italicized text.
Paul Ducklin
Fixed, thanks. (It was the image acknowledgement right at the end.)