Wavering about Apple's latest security fix? Don't, says Talos
The very image of a remote exploit
Here's another reason to press “install” on Apple's latest OS X and iOS security patches: a slew of image-handling vulnerabilities.
The most serious of the bugs is in TIFF image processing (CVE-2016-4631), since it's the easiest to exploit, and could be practically everywhere, because it's present in “OS X 10.11.5 and iOS 9.3.2 and is believed to be present in all previous versions”.
In some applications, the Apple Image I/O API attempts to render an image without user interaction: that means an attacker can compromise a victim's machine remotely, by sending them a crafted, tiled TIFF to trigger a buffer overflow.
Since image rendering is throughout applications, exploits are almost limitless, but in particular Talos highlights messaging as the attack vector – iMessage, MMS, malicious Web pages, and anything else that uses the I/O API.
The API also has vulnerabilities in handling OpenEXR (a high dynamic range format developed by Industrial Light and Magic) files, designated CVE-2016-4629 and CVE-2016-4630.
A malicious OpenEXR file can trick the API into writing outside the destination buffer; and the same can happen handling B44-compressed data inside OpenEXR files.
The other two bugs are CVE-2016-1850, a problem in how Digital Asset Exchange XML files are handled, and for the nostalgic, even BMP files provide an attack vector (CVE-2016-4637). ®