Cybersecurity Alert: Apple ImageIO MMS Attack

July 21, 2016

Threat Summary

Apple has released a set of critical updates for iOS, OS X, tvOSTM, and watchOS®, to fix a vulnerability (CVE-2016-4631) that would allow remote attacker to execute malicious code on devices via an iMessage message containing a TIFF image, due to a vulnerability in the company’s ImageIO library. 
 
The vulnerability is classified as critical, and all Apple device owners should be wary of any inbound MMS messages originating from unknown sources.  Because many iMessage® platforms automatically render images on incoming messages, an attacker can exploit this vulnerability without any user interaction. 
 
Apple device owners are urged to upgrade to the latest patched versions of their operating system, including patching iPhones with iOS 9.3.3, which includes fixes for 42 additional vulnerabilities.
 
Please see the Apple patch advisory and Cisco Talos blog for further details.

If you have any questions, please contact your ACA Aponix consultant or email us at info@acaaponix.com