Stagefright Returns? Mac & iPhone Users Urged to Update

A senior technologist at Sophos has called on all Mac and iPhone users to update to protect themselves against a Stagefright-style bug.

In a Naked Security blog post Paul Ducklin explained that the bug, which hit the headlines last year as "one of the most noteworthy Bugs with an Impressive Name (BWAIN)" has now come to Macs and iPhones. This was a cluster of holes in Android’s core media-handling library known as libstagefright.

Ducklin wrote:

“Four different bugs (CVE-2016-1850, CVE-2016-4629, CVE-2016-4630, CVE-2016-4631) were fixed; the ‘biggie’ is CVE-2016-4631.”

According to security researcher Tyler Bohan of Cisco Talos: the CVE-2106-4631 bug occurs in the handling of TIFF images; the faulty code affects both OS X and iOS; and the bug has been around for a while.

“In theory, then, now the CVE-2016-4631 hole is known, and the crooks have hints on where to start looking to find a working exploit, there’s a real risk of OS X and iOS malware or data-stealing attacks that can be triggered by messages or emails.”

Image rendering bugs like Stagefright are particularly dangerous when they are ‘weaponized’ into RCEs, because so many of the images we receive these days are processed and displayed automatically as an expected part of some other innocent activity, he continued.

“That’s why Android’s series of Stagefright bugs caused widespread alarm (more alarm than was needed, fortunately), because apps that auto-render and auto-display images include:

•    Messaging apps. Text messages contain only text, but messages sent using MMS (the mobile phone network’s multimedia messaging system) usually link directly to image files, which are pulled down and processed automatically by the messaging software.

•    Email clients. Email attachments are easy enough to open by mistake, but they require an extra tap after reading the message in the first place. Inline images simply appear as part of the message, so just reading an email containing images may be enough for an attack to succeed.

•    Browsers. Modern web pages typically contain anywhere from tens to hundreds of images, all of which are processed, scaled and put into the page that gets displayed. The bad news in all of these cases is that the sender gets to decide what images are included, as well as what format they are in.”

“In other words, even if there’s an unusual bug in an abstruse image format you’ve never used yourself, the sender can pick that format, and the app does the work of figuring what program code to use to process it, and how to display it on screen.”

The bottom line, according to Ducklin, is that your iDevice or Mac is almost certainly vulnerable if you haven’t installed the very latest update yet.

What to do?

“Patch early, patch often. That may one of our truisms, but truisms get to be truisms precisely because they’re true!”

“Consider turning off MMS messaging. If you don’t use MMSes (I haven’t received one for ages), you can turn them off altogether on iOS in Settings/Messages.”

What’s Hot on Infosecurity Magazine?