Earlier this year, Cisco’s Talos division reported significant image-processing bugs to Apple, one of which could allow attackers to inject malware or remotely execute code via “iMessages, malicious webpages, MMS messages, or other malicious file attachments opened by any application.” These flaws were patched in Apple’s current operating systems in its July 18 update. Some media outlets immediately dubbed this Apple’s “Stagefright,” referring to a severe Android flaw discovered a year ago that could access or hijack an Android phone via an MMS message. But the details don’t support this level of concern, despite the seeming severity of the flaws.
Talos found that maliciously constructed data saved as BMP, Digital Asset Exchange, OpenEXR, and TIFF image files could outwit the operating system and allow code to be written and executed, including opening up a system to remote exploits. The ancient lossless image format TIFF, however, is the worst culprit as Apple’s OSes will access a TIFF image to render a format in many cases without a user specifically opening a malicious file.
While much coverage of this bug focused on the MMS and iOS angle, Talos only created a proof of concept for exploiting the TIFF flaw via malicious webpages. Tyler Bohan, Talos’ senior security researcher credited with reporting these bugs, says via email that Talos was able to create a proof of concept to exploit this vulnerability on OS X in Safari, and presented the results at the SummerCon hacker convention in New York earlier this month. The report is available for download.
Bohan says they bypassed some of OS X’s protections against arbitrary code execution through address space layout randomization (ASLR), allowing his team to examine and control where malicious delivered code could run. He says because of similarities between iOS and OS X, “the work being done on OS X should port similarly to the browser on iOS.”
Other pathways to trigger the TIFF bug haven’t yet been shown to execute code. “iOS is also exposed to attack via iMessage, and can give the attacker code execution if the platform mitigations are bypassed, however more research is needed to prove this is achievable through the MMS/iMessage vector,” he says.
A window of exploitation rapidly shutting
The TIFF flaw affects unpatched current releases of every Apple OS: iOS 9, tvOS 9, watchOS 2, and OS X 10.11 El Capitan, as well as 10.9 Mavericks and 10.10 Yosemite. The other four affect various combinations of those releases and requires more direct interaction to trigger. Talos used industry-standard responsible disclosure policies to provide the details to Apple ahead of time, and Apple released a set of updates for current OSes, but at this writing hasn’t produced security fixes for Mavericks or Yosemite.
The comparison to Stagefright at first seemed reasonably apt, but after scratching the surface, there’s only a coarse similarity. Stagefright affects versions of Android starting with 2.2, released in 2011, and swept in several hundred million Android phones, tablets, and other devices. Hundreds of millions of Android phones haven’t been patched to protect against Stagefright and many are well past any security upgrade cycle. (Stagefright was partly mitigated by updates to Google’s Hangouts and Messenger apps.)
However, even though Talos implemented an attack against Safari and OS X, as noted above, the MMS and iMessage vectors remain to be proven. Delivering malicious web content, even via phishing or webpage content hijacking, has a slimmer profile than multimedia messaging.
There can also be a large gap between theoretical and practical that can keep even severe exploits from turning into widespread vectors for malware, even when effective proofs of concept exist. As security firm Sophos noted on its blog post about the bugs, “Not all vulnerabilities can be turned into working exploits, where crooks can send deliberately-crafted files that not only crash the offending code but also wrangle control from it in the process.”
Without knowing how well and rapidly these flaws can be exploited and used to deliver payloads, the “businesses” that develop malware may not invest the time and research. (Governments and contractors may still pursue these angles as part of a toolkit to compromise specific targets, whether individuals, companies, or foreign agencies.)
Dan Guido, CEO of security firm Trail of Bits, noted on Reddit a number of issues that make it difficult to execute malicious code in iOS, as well as pointing out pathways that exist in Android and are absent in iOS. Bohan responded in the same Reddit thread with additional technical detail.
Nonetheless, given the percentage of Apple users on current versions of OS X and the speed at which Apple users update iOS, tvOS, and watchOS, the number of users that will remain open as a target are relatively small. Even if Apple fails to patch 10.9 and 10.10, that’s a small and shrinking percentage of OS X users. According to Net Applications browser-based analysis, almost three times as many OS X users run 10.11 El Capitan as 10.10 Yosemite, while 10.9 Mavericks users are less than a third of the installed Yosemite base.