Apple's latest software updates fix flaw resembling Android Stagefright

Posted:
in General Discussion
Apple's recent iOS, OS X, tvOS and watchOS updates patch a previously unknown security flaw that allows the surreptitious gathering of sensitive data with a simple text message, an OS-level bug which bears a striking resemblance to last year's much derided Stagefright exploit on Google's Android platform.




Like Stagefright, the iOS vulnerability discovered by Cisco Talos engineer Tyler Bohan involves media files delivered by MMS, specifically specially crafted Tagged Image File Format (TIFF) files that contain nefarious payloads used to trigger buffer overflows.

As described by Bohan, when an infected TIFF file is opened on a target device it triggers a buffer overflow in iMessage, or any other app using Apple's Image I/O API to render the image, allowing for remote code execution. Depending on the malicious file's instruction set, nefarious users might be able to gain access to account logins, passwords and other sensitive information.

Bohan notes the vulnerability is especially dangerous as certain iOS apps, including iMessage, automatically attempt to render TIFF images by default. In such cases, payloads would trigger themselves without user intervention. Safari is also vulnerable, though users need to click on a link or load a malicious webpage to trigger the payload.

Forbes reported on the vulnerability's discovery earlier today.

According to Apple's website, the patched flaw impacts image data handler ImageIO, meaning hardware running older versions of iOS, OS X, tvOS and watchOS are at risk. Luckily, Apple on Monday released iOS 9.3.3, OS X 10.11.6, tvOS 9.2.2 and watchOS 2.2.2, all of which patch the bug.

Comments

  • Reply 1 of 14
    calicali Posts: 3,494member
    Wait a f**ing minute. You mean a big similar to android was capable on iOS?

    Stagefright is one of the biggest reasons why I defend iOS. Tell me it isn't the same only "similar" in a clickbait manner.

    Can it be triggered without opening a message like StageFright?
  • Reply 2 of 14
    elijahgelijahg Posts: 2,753member
    cali said:
    Wait a f**ing minute. You mean a big similar to android was capable on iOS?

    Stagefright is one of the biggest reasons why I defend iOS. Tell me it isn't the same only "similar" in a clickbait manner.

    Can it be triggered without opening a message like StageFright?
    If message previews are on, presumably it crashes the lockscreen... There've been a lot of vulnerabilities in TIFF over the years, I dunno why though. For "risky" apps such as Messages, Apple should be restricting API accesses related to received files to a minimum, i.e. only JPEG, PNG and GIF supported for images, at least. 
  • Reply 3 of 14
    EsquireCatsEsquireCats Posts: 1,268member
    While exploits that don't require any user intervention are a serious matter, the reason why StageFright was (and continues to be) such a big deal are:

    1. There is no facility to update literally hundreds of millions of vulnerable Android devices
    2. Google's patch for the bug didn't fully address the vector and it was quickly worked around
    3. The bug was being exploited "out in the wild"

    The 1st point is serious because it means that the number of infected users will continue to grow overtime, despite efforts by Google/partners.

    The 2nd point is serious as it drew significant attention to the vulnerability and how it worked - enabling many more nefarious actors to implement it

    The 3rd point is serious because, unlike iOS, there was a demonstrable outcome to the vulnerability. This is different from iOS as the payload may not have been able to be effective due to other layers of iOS security coming into play (which has significantly limited the scope for damage with other iOS vulnerabilities in the past.)


    Unlike Android, this is not iOS's first day at the rodeo.

    edited July 2016 Deelronbaconstanglostkiwinetmagechiaindyfxstevehmagman1979jony0
  • Reply 4 of 14
    RosynaRosyna Posts: 87member
    cali said:
    Wait a f**ing minute. You mean a big similar to android was capable on iOS?

    Stagefright is one of the biggest reasons why I defend iOS. Tell me it isn't the same only "similar" in a clickbait manner.

    Can it be triggered without opening a message like StageFright?
    It wasn't really similar for messages because there was no way to easily get out of the Messages sandbox without a separate exploit, especially given the privilege level Messages runs at. The issue with Stagefright is that Android had/has numerous known sandbox exploits that went unfixed based on which OEM made your phone.

    The "passwords" thing only applied to Safari crashing when displaying the TIFF and it only had access to data in MobileSafari's address space (or APIs Safari had access to that didn't require XPC service privilege checks). This pretty much limited it to cookies and any websites you had visited with login forms visited during that Safari session (iOS frequently tombstones Safari in the background, which purges this memory).

    Either way, it was announced after Apple had pushed out the update that fixed it. 
    netmageindyfxstevehjony0
  • Reply 5 of 14
    gatorguygatorguy Posts: 24,176member
    While exploits that don't require any user intervention are a serious matter, the reason why StageFright was (and continues to be) such a big deal are:

    1. There is no facility to update literally hundreds of millions of vulnerable Android devices
    2. Google's patch for the bug didn't fully address the vector and it was quickly worked around
    3. The bug was being exploited "out in the wild"

    The 1st point is serious because it means that the number of infected users will continue to grow overtime, despite efforts by Google/partners.

    The 2nd point is serious as it drew significant attention to the vulnerability and how it worked - enabling many more nefarious actors to implement it

    The 3rd point is serious because, unlike iOS, there was a demonstrable outcome to the vulnerability. This is different from iOS as the payload may not have been able to be effective due to other layers of iOS security coming into play (which has significantly limited the scope for damage with other iOS vulnerabilities in the past.)


    Unlike Android, this is not iOS's first day at the rodeo.

    I wasn't aware of any "in the wild" Stagefright infections tho it wouldn't be a huge surprise to me to read of some isolated cases. With that said a very quick search didn't find news of them. Where did you read about the number of infections? Honest question.
  • Reply 6 of 14
    spacekidspacekid Posts: 183member
    Except iPhone 4's aren't running iOS 9.
  • Reply 7 of 14
    linkmanlinkman Posts: 1,035member
    There will be one huge difference between the iOS flaw here and Stagefright: 90%+ of the vulnerable iOS devices will get patched while ~900 million vulnerable Android ones won't/can't.
    netmagechiastevehmagman1979Rosynajony0
  • Reply 8 of 14
    palegolaspalegolas Posts: 1,361member
    With the new iOS 10 messages app, I suspect all sorts of attempts will be made to find and utilize new bugs, using maliciously crafted message plug-ins, or animated messages. The new "rich" message experience seems a bit scary to me. But it's just a hunch based on nothing but a bad feeling. Perhaps it's super safe, and locked.
  • Reply 9 of 14
    gatorguygatorguy Posts: 24,176member
    linkman said:
    There will be one huge difference between the iOS flaw here and Stagefright: 90%+ of the vulnerable iOS devices will get patched while ~900 million vulnerable Android ones won't/can't.
    Rather than 900M+ I think the latest vulnerable number was actually estimated at 275M, which is still a whole lotta smartphones. But nearly one year later actual infections blamed on it are zero or near to it as best I can find in reading. In the real world there's been essentially the same level of damage to Android phones as there has been to iPhones due to Stagefright or Apple's somewhat similar flaw in iOS: None.  That could change of course and well may, with Android the more likely IF it happens. 
    edited July 2016
  • Reply 10 of 14
    clemynxclemynx Posts: 1,552member
    No one said iOS was invulnerable. The big difference here is that iOS was patched... when hundreds of millions of Android devices are still vulnerable to Stagefright one year later.
    magman1979
  • Reply 11 of 14
    mjhnlmjhnl Posts: 27member
    What I would find interesting is the response time of Google and Apple. How long did it take for Google to release a patch and how long for Apple?
  • Reply 12 of 14
    ktappektappe Posts: 823member
    This article is incomplete. It says the only way to get patched is to update to MacOS 10.11.6. Not true. If you are running Mavericks or Yosemite, you also get patched if you install Security Update 2016-004.
    magman1979
  • Reply 13 of 14
    gatorguygatorguy Posts: 24,176member
    mjhnl said:
    What I would find interesting is the response time of Google and Apple. How long did it take for Google to release a patch and how long for Apple?
    I believe Google issued a patch within two weeks or less of disclosure, tho they were likely privately notified earlier I would think. That's the norm isn't it for reputable security researchers?

    There's been other security patches since then that address other discovered flaws as Google is on a regular monthly schedule of security fixes as of last year, and all are sent to OEM's as well. Thank the Stagefright scare for that. Some of those OEM's even roll those patches out to users devices quickly too! (ie Blackberry, Sony, some Samsung and LG smartphones among others). No idea how long Apple took with theirs as it wasn't publicly disclosed until now, so it could be a matter of days or a matter of weeks.  

    As with Android the Apple iOS security hole has been there for a long time, just that no one (we assume) had found it.  
    edited July 2016 singularity
  • Reply 14 of 14
    mjhnlmjhnl Posts: 27member
    gatorguy said:
    mjhnl said:
    What I would find interesting is the response time of Google and Apple. How long did it take for Google to release a patch and how long for Apple?
    I believe Google issued a patch within two weeks or less of disclosure, tho they were likely privately notified earlier I would think. That's the norm isn't it for reputable security researchers?

    There's been other security patches since then that address other discovered flaws as Google is on a regular monthly schedule of security fixes as of last year, and all are sent to OEM's as well. Thank the Stagefright scare for that. Some of those OEM's even roll those patches out to users devices quickly too! (ie Blackberry, Sony, some Samsung and LG smartphones among others). No idea how long Apple took with theirs as it wasn't publicly disclosed until now, so it could be a matter of days or a matter of weeks.  

    As with Android the Apple iOS security hole has been there for a long time, just that no one (we assume) had found it.  
    Thanks for your answer and explanation  :)
Sign In or Register to comment.