If you are using iPhone, iPad, or Mac, you should know that Apple released the latest version for OS X (10.11.6) and iOS (9.3.3). It is time to update your devices now, for the sake of security. Security researchers have found that there was a major security hole in Apple’s operating systems. As long as hackers know your phone number, they could get your passwords by sending you an infected iMessage.
The critical vulnerability was first spotted by Tyler Bohan, a senior security researcher of Cisco Talos, and later Forbes reported on this finding. The vulnerability allows hackers to execute a remote code with image files in Apple’s OS and to steal users’ password on the sly. Wanna know how the attack happens? Hacker can create malware, format it as a TIFF file (another image format just like JPG or GIF), and sends it to a target using iMessage. The messaging app will automatically render the malicious .tiff image file in its default configurations. Once being received, the malicious code can be executed on the target device, giving hacker access to everything stored on the device. There is nothing the recipient can do to prevent it.
The same attack can also be delivered via email and over Safari browser. Hackers can send an email embedded malicious TIFF file to your, or seduce you to load a web page that contains the infected image file using Safari browser. As long as your device renders the malformed image, the hack would launch. Talos confirmed that this vulnerability can be triggered “in any application that makes use of the Apple Image I/O API when rendering tiled TIFF images”, without raising the victims’ suspicion.
The security bug is present in all versions of iOS and OS X except for the latest version released on July 18. After Bohan has informed Apple of his discoveries, Apple patched the flaws in iOS 9.3.3, OS X 10.11.6, tvOS 9.2.2 and watchOS 2.2.2. Individual users have been advised to update as soon as they can. Organizations should also patch software to the latest release to solve these vulnerabilities.
To learn more security content of iOS 9.3.3, see Apple’s security document here. To install this update on your iPhone, tap on Settings > General > Software Update. To install the update for OS X, open the App Store app on your Mac, click Updates in the toolbar, and click Install button to get started.
We strongly suggest you to update your Apple devices right now, as malicious code writers could take advantage of this vulnerability since it has been disclosed publicly. But if for some reasons you cannot or are reluctant to do so, here is the alternative way to minimize the risk of infection: turn off your iMessage and disable MMS messaging (so that infected image file won’t be automatically downloaded). That means you can only receive text messages. Image files won’t be received on your iPhone.
Interested in Apple infos & Mac tips? Stay tuned to get the latest IT news and tutorials.