Multiple security vulnerabilities were revealed by Cisco’s Talos security team earlier this week, identifying areas at risk of possible exploits in iOS devices and Mac OS X. Some experts believe the exploits to be complex to pull off and likely not worth the time to attack. Regardless, the bugs have already been fixed in the latest versions of both operating systems.
In its post, Talos described five particular vulnerabilities that would allow someone to insert malicious code that would activate when OS X processes certain image file formats: TIFF, OpenEXR, Digital Asset Exchange and BMP. The security team found the first exploit to have the most potential danger as it could be triggered by many applications like iMessages that automatically render that file format when received or present multiple images in tiled arrangement.
While the exploits appear similar to the Stagefright Android bug revealed last year, the comparison isn’t totally sound. For one, Apple devices and computers run far fewer versions of its operating systems and thus fewer are left behind in the updating cycle. But several of the attack vectors via MMS and iMessage proposed by Talos remain hypothetical, and even those they successfully simulated in OS X and Safari have a lower reward profile than multimedia messaging, reports Macworld. Dan Guido, CEO of security firm Trail of Bits, further dismantles the Stagefright comparison and points out on Reddit that crafting an exploit for iOS, tvOS or watchOS could take as much as six months.
Apple declined to comment, but the latest versions fixing the vulnerabilities for both OS X El Capitan and iOS 9.3.3 were released on Monday, July 18th — the day before Talos’ report was released.