QUICK FIX
Update your Apple devices now to fix a terrifying security bug
There are gaping security holes in Apple’s
operating systems that can be exploited through its default messaging,
web browsing, or email software. For instance, hackers could grab your
passwords just by sending you an infected iMessage—and all they’d need
is your phone number.
The security gaps were discovered by Tyler Bohan, a researcher with Cisco Talos, a unit of Cisco that works on security.
Forbes was the first to report on the findings.
The hacks strike at the heart of Apple’s mobile and desktop operating
systems, exploiting the way they deal with importing and exporting
images.
Here’s how the attack works: A hacker creates
malware that’s formatted as a TIFF file, which is just another image
format like JPG or GIF. The hacker then sends it to a target using
iMessage. This is especially effective because the messaging app
automatically renders images on its default settings.
Once the infected file is received, malicious
code can be executed on the target device, giving an attacker access to
the device’s memory and stored passwords. The victim wouldn’t even have
had a chance to prevent it. The same attack can be delivered by email,
or by making the user visit a website that contains the infected image,
using Apple’s Safari browser.
It gets worse. Bohan
found that the security hole is present in all versions of iOS and OS X
except for the very latest ones, which were published on July 18. Bohan
had shared his discoveries with Apple ahead of time, and the latest
versions of its OS address the vulnerabilities. That means the safe
version of iOS is 9.3.3 and for OS X it’s El Capitan 10.11.6.
There’s another quick fix, as security research firm Sophos points out:
Turn off iMessage on your iPhone, and also disable MMS messaging. This
means you’ll be limited to receiving text messages only. Image files
won’t be received.
The scale of the vulnerability is staggering.
According to Apple, about 14% of iOS devices run iOS 8 or earlier. There
are over 690 million active iOS devices, according to one estimate,
which means at least 97 million devices running Apple’s mobile
operating system are vulnerable to the hack. That’s not even accounting
for the mobile devices that aren’t running the absolutely newest version
of iOS 9, or Macs that aren’t up to date. Apple has said it has over 1 billion active devices worldwide, but doesn’t break down that figure in detail.
This Apple security problem has been likened to a flaw in Android, Google’s mobile operating system, called Stagefright
that was discovered last year. That security hole also relied on
texting infected images, and some 950 million Android devices were
exposed. It was discovered by a researcher at Zimperium zLabs in April
2015 who shared his findings with Google, which then issued an update
fixing the problems.
No comments:
Post a Comment