GET THE FREE NATIONAL CYBER SECURITY APP FOR YOUR PHONE AND TABLET
Update software pronto.
Apple software contains flaws that could allow hackers to steal people’s passwords by doing nothing more than sending a single nefarious message. Apple AAPL 0.13% patched the vulnerabilities in its latest batch of software updates this week—still, it is incumbent upon people actually to download the updates. (Do it, yes!)
“This is very high severity issue,” Craig Williams, senior technical lead and head of global outreach at Cisco CSCO 2.84% Talos, the networking giant’s threat intelligence division, told Fortune on a call. “The fact that you have an exploit without any user interaction makes me very concerned.”
The issues affect ImageIO, a programming interface that reads and writes image data. Here’s how an exploit could work: If an attacker were to send someone a booby-trapped multimedia message (MMS), for example, containing malicious code in a “tagged image file format” (abbreviated as TIFF, a format like JPEG or PNG), then the code would start executing as soon as it was received.
“What makes iMessage insidious is that it cues it,” Williams said, stressing that the hack could also be delivered via other means, such as by email or webpage, as well. (These other methods would require a person to open the message or visit the website using a Safari browser to initiate the attack though.)
Ultimately, an attack could give a hacker access to portions of a computer’s memory, which could contain sensitive information, such as passwords and login credentials, Williams said. The issues affect recent versions of iPhone’s iOS, Mac’s OS X El Capitan, Apple TV’s tvOS, and Apple Watch’s watchOS software. (See the linked pages for more information, as well as this technical post on the Cisco Talos blog.)
“An attacker could send a thousand iMessages to victims and the second they turn their phones on they’re infected,” Williams added. In this way, the flaws recall the Stagefright vulnerabilities that affected Google’s GOOG 0.57% Android software last year—although the Android issues were more severe since they remained effectively unpatched for longer and gave hackers greater control over affected devices.
A word of advice? Patch up. “Exploitation wise, Talos estimates there is about a two-week effort to get from the information we disclosed publicly to a fully working exploit with a decent amount of reliability,” Tyler Bohan, the security researcher at Cisco Talos who uncovered and reported the bug, told Forbes Tuesday.
Another reason to patch up pronto: Another bug affecting Apple software—this one discovered by a Salesforce CRM 0.95% security engineer—lets snoops eavesdrop on FaceTime calls. The newly issued iOS 9.3.3 fixes that problem, too.
As with any security fixes, people “should apply the patch immediately,” Williams said.