Researchers from the security team of Cisco’s Talos warned that there are many serious bugs in the update, which if left unpatched, could put users a serious risk of hackers.
Before the version 9.3.3 was released, Talos helped Apple patch the bugs in it and presently people have received all the details of the fixes, of which there are 5 remote code execution vulnerabilities. ImageIO, a programming interface which writes and reads image data, is affected by the bug.
The 5 specific vulnerabilities were described by Talos in its post. These vulnerabilities would enable somebody entering malicious code which would activate while OS X procedures some formats of image file: BMP, Digital Asset Exchange, OpenEXR and TIFF. According to the security team, TIFF is the most possible risk as it could be hit by several applications like iMessage, which renders that file format automatically while presents or receives different images in tied arrangement.
These vulnerabilities are quite similar to the Android bug StageFright, which was unveiled last year. Apple devices run very few versions of its OS and therefore some are left behind in the updating cycle. However, some of the attack vectors through iMessage and MMS suggested by Talos stay hypothetical, and in fact those who simulated in Safari and OS X successfully, don’t have a standard profile like multimedia messaging, as reported by MacWorld. The CEO of the security company, Trail of Bits, Dan Guido again adjourns the comparison of StageFright and mentions on Reddit that preparing a misuse for watchOS, tvOS and iOS could possibly take around 6 months.
Apple refused to comment, however the latest versions to fix the vulnerabilities for both iOS 9.3.3 and OS X E1 Capitan were launched on 18th July, Monday, the previous day of the report released by Talos.
Apple is rumored to have been talking with a number of digital security experts for bolstering its iOS security. Recently, FBI requested Apple to access the iPhone belonging to a man behind the San to Bernardino terror attacks in 2015.
According to the sources, the engineers from the tech giant are developing a new security measure which will make it impossible for the government to break into a locked iPhone using methods similar to those at the center of the court fight in California. On the other hand, if Apple upgrades its security successfully then the company will automatically create technical challenge for law enforcement agencies.
As per sources, it the FBI wanted to get into an iPhone in future then it will need a new way to do so. The security agency demanded the Cupertino giant to develop a new version of the iOS platform which will allow it to force the passcode on the iPhone of terrorists.
However, the tech giant says that it doesn’t have any software that can do so and will not ever comply with the demand from FBI. On the other hand, Apple believes that opening up an iPhone for FBI might lead to demand for thousand passcodes to be cracked for the government agencies. Tim Cook, CEO of Apple, claims that if such software is developed than it will be a software equivalent of cancer.
There are reports from US that FBI is already asking Apple to access 12 more iPhone devices in unrelated criminal cases. Federal wiretapping laws require traditional phone carriers to make their data accessible to the law enforcement agencies but tech giants such as Apple and Google are not covered under this clause. Instead, they have strongly resisted legislation which will place similar requirements on them.
According to Benjamin Wittes, a senior fellow person at Brookings Institution, “We are in for an arms race unless and until Congress decides to clarify who has obligations in situations like this”. However, the companies have always searched for the software bugs and patched the holes in order to keep their codes secure from the hackers. But since the revelations of government surveillance made by Edward J Snowden companies are retooling their product to protect against the government intrusion.