Apple has fixed a major security hole that potentially allowed hackers to gain access to a user’s iPhone, potentially allowing them to steal sensitive data such as passwords.
The flaw allowed hackers to break into an iPhone simply by sending them a text message with a specially-modified image file.
When the phone’s software tries to process the image, the file would exploit the vulnerability to access parts of the device’s code usually off-limits to third parties such as downloadable apps. It could then execute malicious code within applications without the receiver suspecting a thing.
Security experts warned that by the iPhone trying to process the image, such as receiving a message or visiting a webpage with the picture, hackers could corrupt the iPhone’s memory and access information such as website and email passwords.
The vulnerability lies in how Apple’s software handles a certain image file called a TIFF. While it can render the image as normal – meaning a user will notice no difference – by tampering with an image file a hacker could also overload the iPhone’s memory allowing the image to execute malicious code.
The flaw, discovered by Cisco Talos engineer Tyler Bohan, also affects other iOS devices and the OS X Mac software. The problem is particularly acute on Macs, since the iPhone’s permissions that allow one app to interact with another are more strict than on the Mac.
The vulnerability is somewhat similar in nature to the Android Stagefright flaw that allowed hackers to infect up to one billion smartphones simply by sending an infected video file.
How to protect yourself
Apple has fixed the bug, but only for iOS and Mac users who update to the latest software.
On the iPhone, go to Settings -> General -> Software Update and select “Download and Install” to upgrade to iOS 9.3.3. The upgrade is available for iPhone 4s and later, iPod touch fifth generation and iPad 2 and later.
On a Mac, click the Apple icon and select the App Store. In the “Updates” tab you can then update to the latest software.
* * *