Apple’s latest round of updates (OS X 10.11.6, iOS 9.3.3) patch a bug with ImageIO, the system that renders thumbnails of images. More specifically, Apple addressed a long standing bug where a deliberately malformed TIFF image could cause memory corruption, and this corruption potentially could be used as a vector for remote attack.
So in theory, your Mac or iOS device could be compromised by malware simply by visiting a website, opening an email, or receiving an IM or SMS text message… basically any method causing a thumbnail of a sent “hacked” TIFF image to be displayed.
This is similar to an Android bug discovered last year nicknamed Stagefright, where Android devices could potentially be attacked by viewing MP4 videos on websites or sent or via email or text. https://en.wikipedia.org/wiki/Stagefright_(bug)
The big take away here is… while it’s great that Apple patched this imageIO bug, there is no immediate threat, and in my opinion there never will be one. Older versions of OS X and iOS all have multiple layers of security, and if hackers are able to figure out how to craft TIFF images that could get them access into the OS memory layer, they wouldn’t be able to do anything with it. Yes, there is always the risk that hackers will be able to link this vulnerability with another exploit, and accomplish something that no one has ever been able to do, but here’s why I’m so skeptical this will ever happen with imageIO: The Android Stagefright bug was never exploited. For all the media attention it got, not a single Stagefright based malware attack happened in the wild, and only one weak proof-of-concept (Metaphor) surfaced. I attribute this to Android also having multiple layers of security.
A lot of websites are stating that all Macs and iPhones/iPads must be updated immediately to avoid this imminent risk, including upgrading older versions of OS X and iOS, and some are going as far as recommending Apple users should stop using SMS text completely. Many of these same sites suggest that this bug is being actively exploited. I think this is all insane. There are dozens of vulnerabilities that haven’t been patched in older versions of OS X and iOS that have just as much potential for being exploited, but hackers won’t because it’s just too difficult to implement. These vulnerabilities fall out of favor when they become stale, much like the one nicknamed Rootpipe that I posted about on 4/20/15 and 5/22/15.
If you’re running OS X 10.11 or iOS 9.3, of course I recommend applying Apple’s latest round of updates. If you’re still holding out to OS X 10.6-10.10 or iOS 7-8 for whatever reason, you are at more risk for being remotely attacked by something like this, but I assure you that these risks are currently negligible and don’t require drastic action.
UPDATE 7/22/16: While researching this further, it looks like Apple actually patched 4 similar bugs with OS X’s ImageIO system (CVE-2016-4629, CVE-2016-4630, CVE-2016-4631, CVE-2016-4632). Two of these ImageIO bugs fixes were also included in Apple’s recent Security Update 2016-004, available for OS X 10.9.5 and OS X 10.10.5. I have no idea why Apple didn’t included all four, but it could be the other two only affect OS X 10.11. Regardless, what this means is if you’re running a fully patched OS X 10.9.5 or 10.10.5 Mac, your risk level is even lower than I originally reported.