Apple iOS users taste Android anxiety with nasty CoreGraphics image flaw

Apple’s iOS just had its own Android Stagefright moment.

Among a thicket of important Apple patches released on 24 October 2016, iOS 10.1 fixes a serious memory corruption flaw that could allow an attacker to take control of an iPhone or iPad simply by getting a user to view a booby-trapped JPEG file.

Labelled CoreGraphics (CVE-2016-4673) in Apple’s update list, the patch is available for Apple devices from the iPhone 5, iPad 4, and iPod Touch 6th generation and later, and has also been fixed for watchOS and macOS in separate patches.

As Apple describes it:

Impact: Viewing a maliciously crafted JPEG file may lead to arbitrary code execution

Description: A memory corruption issue was addressed through improved memory handling.

This CoreGraphics bug bears a passing resemblance to the Stagefright vulnerabilities, a clutch of secuity holes in Android’s core media-playing engine back in 2015.

Stagefright could, in theory, have put an attacker in control simply by the user receiving and automatically opening a malicious MMS message.

In theory, Apple’s CoreGraphics security issue isn’t that far removed from Android’s SNAFU – you could end up hijacked simply by reading a message or opening an image file on your iPhone.

The moral?

Mobile platforms aren’t terribly different to one another these days. They all run software that does similar things, and their programmers make similar mistakes.

More bugs

Elsewhere, macOS Sierra 10.12.1 gets a pile of fixes, including its own fix for the CoreGraphics image-handling bug described above.

Others patched fix a password-handling flaw that would allow an attacker to observe password length (CVE-2016-4670), a denial of service glitch in Nvidia graphics drivers (CVE-2016-466), and a remote code execution flaw (CVE-2016-4667) that could be triggered by a booby-trapped font file.

Two of these flaws arrived at Apple courtesy of Google’s Project Zero, another sign of how integrated the bug-hunting world is becoming.

A final standout is the Apple FaceTime vulnerability (CVE-2016-4635) that could allow an attacker to eavesdrop by keeping open an audio stream after showing the user it has ended. This was fixed earlier this summer for older iOS and OS X versions of Apple products.

Other bits of Apple’s sprawling product world get attention, too.

AppleTV gets an update to tvOS 10.0.1 to fix 11 issues, the Apple Watch watchOS 3.1 has eight patches, and Safari gets two.

Apple users can get these fixes by visiting iTunes or by checking the App Store. Apple TV updates can be downloaded through Settings | General | Update Software, while the Apple Watch receives them via an iPhone.

As the sages of Sophos like to say: patch early, patch often!

Image by ymgerman /