Researchers from the security team of Cisco’s Talos warned that there are many serious bugs in the update, which if left unpatched, could put users a serious risk of hackers.
Before the version 9.3.3 was released, Talos helped Apple patch the bugs in it and presently people have received all the details of the fixes, of which there are 5 remote code execution vulnerabilities. ImageIO, a programming interface which writes and reads image data, is affected by the bug.
The 5 specific vulnerabilities were described by Talos in its post. These vulnerabilities would enable somebody entering malicious code which would activate while OS X procedures some formats of image file: BMP, Digital Asset Exchange, OpenEXR and TIFF. According to the security team, TIFF is the most possible risk as it could be hit by several applications like iMessage, which renders that file format automatically while presents or receives different images in tied arrangement.
These vulnerabilities are quite similar to the Android bug StageFright, which was unveiled last year. Apple devices run very few versions of its OS and therefore some are left behind in the updating cycle. However, some of the attack vectors through iMessage and MMS suggested by Talos stay hypothetical, and in fact those who simulated in Safari and OS X successfully, don’t have a standard profile like multimedia messaging, as reported by MacWorld. The CEO of the security company, Trail of Bits, Dan Guido again adjourns the comparison of StageFright and mentions on Reddit that preparing a misuse for watchOS, tvOS and iOS could possibly take around 6 months.
Apple refused to comment, however the latest versions to fix the vulnerabilities for both iOS 9.3.3 and OS X E1 Capitan were launched on 18th July, Monday, the previous day of the report released by Talos.