Remember Stagefright?
Stagefright was one of 2015’s most newsworthy BWAINs (Bugs with an Impressive Name): a security hole, or more accurately a cluster of holes, in Android’s libstagefright
multimedia software component.
Multimedia objects such as images, video and audio are often stored in files with complex formats.
That, in turn, means lots of clever programming to read them in, decode them, decompress them into memory and prepare them for display.
And, as you probably know only too well, the more complex a program gets; the more calculations it needs to do based on numbers extracted from untrusted files; the more it needs to mess around allocating and deallocating memory and shuffling data between memory buffers…
…the more likely it is that some sort of buffer overflow or integer overflow bug will show up.
Not all vulnerabilities can be turned into working exploits, where crooks can send deliberately-crafted files that not only crash the offending code but also wrangle control from it in the process.
But overflow vulnerabilites that can be exploited often turn into full-blown RCEs, or remote code execution flaws, which means not only that crooks can trick buggy software into running unauthorised program code, but also that they can do so using content sent from afar.
Image rendering bugs are particularly dangerous when they are “weaponised” into RCEs, because so many of the images we receive these days are processed and displayed automatically as an expected part of some other innocent activity.
That’s why Android’s series of Stagefright bugs caused widespread alarm (more alarm than was needed, fortunately), because apps that auto-render and auto-display images include:
- Messaging apps. Text messages contain only text, but messages sent using MMS (the mobile phone network’s multimedia messaging system) usually link directly to image files, which are pulled down and processed automatically by the messaging software.
- Email clients. Email attachments are easy enough to open by mistake, but they require an extra tap after reading the message in the first place. Inline images simply appear as part of the message, so just reading an email containing images may be enough for an attack to succeed.
- Browsers. Modern web pages typically contain anywhere from tens to hundreds of images, all of which are processed, scaled and put into the page that gets displayed.
The bad news in all of these cases is that the sender gets to decide what images are included, as well as what format they are in.
In other words, even if there’s an unusual bug in an abstruse image format you’ve never used yourself, the sender can pick that format, and the app does the work of figuring what program code to use to process it, and how to display it on screen.
MMSes are a particularly nasty problem here: the sender can push messages to your device any time, and most messaging apps automatically pre-fetch the images they link to, ready for later.
With a website, you can always decide not to visit it at all; with emails you can at least delete unknown emails from your inbox without opening them first, giving you a fighting chance of avoiding suspicious and unwanted content.
But MMSes are generally “just there,” ready and waiting, so as soon as you look at your list of messages, any booby-trapped images sent to you have already had their chance.
Stagefright on Macs and iPhones
Well, it seems that Stagefright has come to Macs and iPhones, after a fashion.
In Apple’s recent security updates for OS X (10.11.6) and iOS (9.3.3), some of the patched bugs are listed like this:
ImageIO
Impact: A remote attacker may be able to execute arbitrary code
Description: Multiple memory corruption issues were addressed through improved memory handling.
Four different bugs (CVE-2016-1850, CVE-2016-4629, CVE-2016-4630, CVE-2016-4631) were fixed; the “biggie” is CVE-2016-4631.
Loosely speaking, Apple’s ImageIO
is its equivalent of Google’s libstagefright
.
According to security researcher Tyler Bohan of Cisco Talos: the CVE-2106-4631 bug occurs in the handling of TIFF images; the faulty code affects both OS X and iOS; and the bug has been around for ages.
The bottom line, therefore, is that your iDevice or Mac is almost certainly vulnerable if you haven’t installed the very latest update yet.
(We sometimes hear from people who naively assume that once they get really out date, for example by sticking with Windows XP, even their exploitable vulnerabilities go stale and out of fashion; not so here, according to Bohan.)
In theory, then, now the CVE-2016-4631 hole is known, and the crooks have hints on where to start looking to find a working exploit, there’s a real risk of OS X and iOS malware or data-stealing attacks that can be triggered by messages or emails.
Even if iOS malware were to take over just your Messaging app, and be constrained by iOS’s sandboxing to messaging data only, you could have plenty of personal information at stake.
What to do?
- Patch early, patch often. That may one of our truisms, but truisms get to be truisms precisely because they’re true!
- Consider turning off MMS messaging. If you don’t use MMSes (I haven’t received one for ages), you can turn them off altogether on iOS in
Settings
|Messages
.
James Mac
Does the MacOS 10.11.6 upgrade fix these issues, or are there known issues that the upgrade doesn’t fix? It’s not clear from your posting.
Paul Ducklin
The updates apparently fix the vulnerabilities listed by number in the article.
Apologies for my slightly casual quotation from Apple’s security advisory. The bit where I list Apple’s official words about the ImageIO bug (where it says Impact and Description)…that text is from Apple’s list *of holes that were fixed in the latest updates*, not merely a list of holes that are known.
AFAIK, the known issues have been fixed, which is why Tyler Bohan of Cisco Talos only went public with his article now. (Responsible disclosure: agree a time by which the vendor will have fixed the hole, and only discuss it in public after that.)
Anonymous
Paul – I greatly appreciate your advice for people to patch early/often. In today’s age, one would think that would be second nature but alas it isn’t… And it certainly doesn’t help when there are other IT blogs out there with some soapbox-expert who thinks it is smart to tell people to do the very opposite…
http://www.cio.com/article/3093433/consumer-advice/why-you-should-avoid-os-upgrades-from-microsoft-and-apple-for-now.html
Paul Ducklin
Peculiar article.
It says, “You’ll eventually want to upgrade to Windows 10 and iOS 10” – a strange way of putting things, because Windows 10 has been out for nearly than a year already, while iOS 10 isn’t out at all yet.
David
It’s Settings | Messages, not messaging,
Paul Ducklin
Aaargh, you’re right…I fixed it.
Thanks for noticing (and telling us).
John Day
Very well written, Paul. You’ve taken a highly technical subject and explained it in a easy to understand fashion. Good work!
Anonymous
Hi Paul! Thanks for the great article! How do I know if my iOS or MacOS system has been compromised?
Paul Ducklin
The $64,000 question!
In this case, it’s unlikely because this is not a zero-day (when an exploit is available before the patch) so you can get the patch in early.
Jana Squires
Thanks Paul. Does anyone know if there is an OSX security patch for 10.10?
Paul Ducklin
OS X 10.9.5 and OS X 10.10.5 don’t get a “point” update to dot-6. They get “Security Update 2016-004”.
The 10.11.6 update includes the latest Safari; the 2016-004 update might not. Check after you have updated. Safari needs to get to 9.1.2.
OS X update: https://support.apple.com/en-gb/HT206903
Safari: https://support.apple.com/en-gb/HT206900
You can also update 10.10 by upgrading to El Capitan. I can’t see any reason not to, though your mileage may vary.
Savitha Nandakishore
Do windows users need to worry about this vulnerability?
Paul Ducklin
No. It’s specific to Apple’s operating system products.