Apple released a patch for vulnerabilities affecting the iTunes, iOS, Safari, OS X El Capitan, tvOS, and watchOS line of products. The update includes a patch of critical vulnerabilities in iOS and OS X that could allow remote code execution.
Cisco Talos senior security researcher Tyler Bohan discovered flaws in the OS X platform’s image processing format. The vulnerabilities are comparable to the Stagefright vulnerabilities in Android devices discovered a year ago by Joshua J. Drake at Zimperium zLabs. The iOS flaw allows for nearly undetectable theft of passwords from iPhones.
“When rendered by applications that use the Image I/O API, a specially crafted TIFF image file can be used to create a heap based buffer overflow and ultimately achieve remote code execution on vulnerable systems and devices,” Cisco Talos threat researcher Earl Carter wrote in a blog post. “This vulnerability is especially concerning as it can be triggered in any application that makes use of the Apple Image I/O API when rendering tiled TIFF images.”
An attacker could deliver a payload to launch the vulnerability using iMessages, malicious web pages, MMS messages, or other malicious file attachments, according to Talos.
Security firm Zscaler discovered a separate vulnerability affecting OS X El Capitan that grants unauthorized access of cookies stored in the Safari browser to applications that do not have appropriate privileges. “This access could result in a malicious application lifting all the persistent cookies for a given user and accessing sites posing as that user,” Zscaler senior software engineer Abhinav Bansal wrote in a company blog post.
In speaking with SCMagazine.com, Amit Sinha, CTO and EVP of engineering and cloud operations at Zscaler, said the flaw is a “major vulnerability” affecting all Mac users. “Any application that is installed on the Mac App Store has full access” to the persistent cookies stored unencrypted in Safari’s cookie store.
Sinha said it would be “trivial” for an attacker to exploit the vulnerability and access all cookies stored by affected users. A popular application could gain access to victims’ cookies in a widespread attack that requires you to craft specific malicious code. “No special permissions are needed,” he said
Zscaler researchers found three other vulnerabilities affecting Mac OS X and iOS, he told SCMagazine.com. The vulnerabilities were reported to Apple and have not yet been disclosed.
Many of the updates involved situations in which Apple discovered additional related vulnerabilities as a report of vulnerabilities disclosed by external researchers, according to WatchGuard Technologies information security threat analyst Marc Laliberte. “While investigating further into a reported vulnerability should be the status quo, that isn’t always the case,” he wrote in an email to SCMagazine.com.