Security experts have recently found several remote code execution vulnerabilities in iOS and OS X. The vulnerabilities could allow cyber criminals to compromise Apple devices using specially developed image files.
This week, Apple patched tens of vulnerabilities in OS X and iOS, including four security holes which the Cisco Talos experts discovered. One of the most serious issues is CVE-2016-4631, which affects the ImageIO component in OS X 10.11.5 and prior, and iOS 9.3.2 and prior. Also, CVE-2016-4631 impacts the watchOS and tvOS operating systems, which are based on iOS.
The security researchers at Cisco claim that the flaw is related to how ImageIO processes called TIFF (Tagged Image File Format) files. The vulnerability can be exploited by cyber criminals for arbitrary code execution by sending the targeted user a specially crafted image file which triggers a heap-based buffer overflow.
Currently, the vulnerability is considered as a serious threat due to the large number of affected devices and the wide range of potential attack vectors. According to the security experts, hackers can exploit the weakness by sending malicious TIFF files via iMessages, MMS messages, websites and other applications which use ImageIO for processing images.
The security experts warned that in some cases the exploit might not require any user interaction as some applications render images automatically when received.
There is an arbitrary code execution flaw which affects both iOS and OS X, named CVE-2016-4637, existing in the CoreGraphics component. According to Cisco, the vulnerability is related to how the height property in the header of a BMP file is handled. A hacker can craft a special BMP file which triggers an out-of-bounds write when opened in an app using CoreGraphics.
This week, the researchers at Cisco Talos have been credited for two other graphics-related vulnerabilities in OS X El Capitan 10.11.6. The security flaws, called CVE-2016-4629 and CVE-2016-4630, exist in ImageIO and can be exploited to execute arbitrary code using OpenERX, an HDR image file format developed by Industrial Light & Magic for the visual effects industry.
The Cisco experts have also discovered CVE-2016-1850, an Apple SceneKit flaw which was patched in May, this year, alongside the release of OS X 10.11.5. The vulnerability can be leveraged by a remote hacker to execute code by using specially crafted Digital Asset Exchange or Collaborative Design Activity files.