This blog was written by Bruce Snell.
A number of serious vulnerabilities have been recently reported impacting OS X, iOS, watchOS and tvOS. These vulnerabilities appear to be similar to StageFright in that an attacker can execute malicious code without any user interaction whatsoever.
I don’t even have to click anything?
The vulnerability involves a bug in the way TIFF files are handled. TIFF is an image format like JPG or GIF that is commonly associated with Photoshop or other photo editing software. The malware writer can take advantage of this bug to execute malicious code when the image is viewed. This is particularly dangerous when you think about how often you receive an iMessage containing a picture. The reason you can see the picture is because iMessage automatically opens the file. If the image contained malware, it could execute code that had access to the device’s memory and stored passwords.
Don’t worry, there’s already a fix.
Apple is already on top of this vulnerability and has released fixes for iOS and OS X. The update is already available. To find this update in iOS, tap Settings > General > Software Update. This is a relatively small update and should only take a short amount of time to download. To install the update for OS X, open the App Store app on your Mac and click “Updates” in the toolbar.
What if I can’t update?
If for some reason you can’t update your iOS device right away, you can minimize your risk by turning off iMessage on your iPhone and disabling MMS messaging. This does mean you will only be able to receive text messages, but you will also not be able to receive infected TIFF files that could exploit your system.
Bugs like this don’t come around every day, but thankfully Apple’s quick response could help minimize the risk of this one.