▶ Apple
iPhone Stagefright

Uses the same attack vector as the Android version

The dreaded Stagefright vulnerability has now appeared in OSX and iOS, one year after it was first discovered on Android. Google has released dozens of patches throughout that time aimed at fixing it, the most recent being just this week.

The idea behind Stagefright, and the reason it is so hard to close down every variant, is that the target is the core multimedia handler present in the heart of the OS, which has by necessity special privileges in order to do its job of playing audio, video and showing images, etc.

Since the multimedia handler has to accept the media as data, the attacks arrive in the form of data which appears to be correctly formed, so that it gets to the handler in the first place, but in fact is specially crafted to carry just the right payload needed to trigger the attack.

This time its TIFF images

Cisco discovered the attack vector is via TIFF images:

Cisco Talos has discovered a vulnerability in the way in which the Image I/O API parses and handles tiled TIFF image files. When rendered by applications that use the Image I/O API, a specially crafted TIFF image file can be used to create a heap based buffer overflow and ultimately achieve remote code execution on vulnerable systems and devices.

When Cisco discovered the vulnerability, they immediately informed Apple and no-one else. A patch has now been issued.

iMessage, webpages, MMS can all send TIFFs

The TIFF image format is far less common than the more familiar JPG, PNG and BMP formats. It was designed to be losslesss, so has more of a specialized role for photographers wishing to preserve the full original quality of an image. This isn't usually a concern on smaller devices, but they still must be able to deal with them. Getting a TIFF to, say an iPhone, can be done in many different ways - even just hosting it on a web page would do it.

drummer 750x300


The affected multimedia handler is present on iPhones, iPads, the Apple Watch, Macs and Apple TV. When triggered, the buffer overflow allows the attackers own code to run in a privileged mode, meaning it pretty much owns the device it's running on.

Here's Steve Gibsons take on it:

No user interaction required

These kind of attacks are especially worrying because they don't require aby kind of action from the user, such as installing a fake app or sideloading software from outside the App Store. Just getting the malformed TIFF image in is enough, so to prevent it advising users not to open iMessages or visit webpages makes the whole device pretty unusable.

Older iPhones are no longer getting the modern OS updates. Specifically, this means iPhone 4 and older will remain vulnerable to this attack because they are not receiving iOS 9.3.3 which fixes it.

Other users are safe - as long as they apply the OS updates as soon as they are notified of them.