A boobytrapped JPEG could infect your iPhone. Upgrade to iOS 10.1 now

Bad picture.

A boobytrapped JPEG could infect your iPhone. Upgrade to iOS 10.1 now

Apple has released the latest version of its mobile operating system for iPhones and iPads, iOS 10.1.

And alongside the usual array of bug fixes there are some important security patches, including this one:

CoreGraphics

Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later

Impact: Viewing a maliciously crafted JPEG file may lead to arbitrary code execution

Description: A memory corruption issue was addressed through improved memory handling.
CVE-2016-4673: Marco Grassi (@marcograss) of KeenLab (@keen_lab), Tencent

In simpler language, if you view a maliciously-crafted JPEG graphic (for instance, by browsing a website or opening an email) on a vulnerable iOS device, you could be allowing malicious code to execute.

That's a nasty security bug, and now Apple has released a patch there will be surely be some criminal hackers who are interested in seeing if they can find a way of exploiting it.

You can make sure that you aren't at risk by updating your iOS device to iOS 10.1 as soon as possible.

To update your device go to Settings > General > Software Update.

Oh, and if you're have a Mac or an Apple Watch - you're also at risk from the same vulnerability.

So you may be wise to update your copy of macOS Sierra and watchOS as well.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, , , ,

13 Responses

  1. Bob

    October 24, 2016 at 10:18 pm #

    iOS 10.1 certainly patches critical vulnerabilities. It has a good many features updates and bug fixes too.

    There's no reason for people not to install this immediately. It shouldn't 'brick' your device (it's been well tested at the beta stage) and the security patches alone are so important that delaying upgrading is putting yourself at risk.

    It always gives me a warm feeling inside when Apple push out patches whereas Android, users get left out in the cold because of the insouciance of both manufacturers and networks.

    • Graham Cluley in reply to Bob.

      October 25, 2016 at 8:12 am #

      Yup, I installed the updates without any problems on my Apple gear.

      I agree that Apple is doing a good job at rolling out security patches, especially when compared to the Android situation. Certainly if I was to recommend an Android device from the security point of view it would be hard not to lean towards devices made by Google itself (for instance, the new Google Pixel) simply because of the increased likelihood of timely security updates.

      • Kevin in reply to Graham Cluley.

        October 25, 2016 at 10:12 am #

        Thanks both,
        Are you saying the Samsung do not roll out updates when they are needed? do not remember seeing anything like this in your articles… I thought Samsung were good too?

        • Bob in reply to Kevin.

          October 25, 2016 at 10:56 am #

          That's correct Kevin. Android is a perfect example of a highly disparate mobile OS.

          Google essentially own Android and they, for a fee, resell the rights to use it to manufacturers.

          Companies like HTC, Samsung, LG, Sony, Motorola, Xiaomi and many others then install their own crapware (software) onto the devices. Basically they customise it.

          Networks (e.g. O2, Vodafone, EE, Three) also install their own crapware (software) onto the devices.

          When Google release an update/upgrade or a critical patch to Android the majority of manufacturers put it in their own internal long list of patches to be considered. They almost never allow the end user (you) to receive it in case it breaks the phone and the ensuing negative publicity.

          Networks, upon receiving an update/upgrade or a critical patch from Google, have their own list of patches to be considered. If the patch affects connectivity then you could lose your ability to make calls, receive texts, connect to the internet etc.!

          Even if the phone manufacturer gives an update/upgrade/patch the okay IF the network doesn't allow it then you won't get it. Simple as that.

          If the network wants you to receive an update/upgrade patch BUT the manufacturer refuses then you don't get the patch.

          Manufacturers also have a perverse incentive NOT to allow you to receive new software because you're less likely to buy a new phone.

          With Apple they produce the device, they write iOS and they don't allow networks to install their own crap. When an update/upgrade/patch is released they allow 99% of their users to download it. Only very old devices are left out. That keeps users secure and their devices updated.

          Just so you have an idea – if you can break an iPhone's security you can earn yourself a cool $1,500,000. If you can totally break Android 7 you only earn $200,000. Which OS do YOU think is more secure?

          https://www.zerodium.com/program.html

          Kevin take a look at this website, scroll down and have a look at the graph and see how many Android devices are secure (the green bit). Very few.

          http://androidvulnerabilities.org/

          Over 900 million are vulnerable to the latest exploit and there are dozens of other hacks that haven't been and won't be fixed.

          https://www.wired.com/2016/08/quadroot-android-vulnerability-qualcomm/

          Sorry for the long explanation but it's difficult to explain in a few words.

          Graham, Kevin,

          Today's top story – 25/10/16

          Android phones rooted by “most serious” Linux escalation bug ever

          http://arstechnica.co.uk/security/2016/10/android-dirty-cow-escalation-vulnerability/

  2. George

    October 25, 2016 at 10:54 am #

    Help please…. what about those of us using older iThingies that cannot take iOS10+?
    How would we know if we've been infected?
    What potential damage could this exploit could cause?
    I'm guessing it could disclose email, contacts and login data (bad enough) but could it brick the device?
    Would a hard reset the problem?

    • Bob in reply to George.

      October 25, 2016 at 12:53 pm #

      Only extremely old devices can't handle the latest iOS 10.

      As with all software there are vulnerabilities that are fixed in more recent versions – there have been a good many fixed in iOS 10 which haven't made news.

      A phone is like a car – eventually it reaches the end of its useful life. Unlike Android you get longer out of an iOS device because of Apple's update policy.

      There is no way of telling if your device has been compromised although if you suspect it has then a full reset should put it back into its factory state.

      Unfortunately running old versions of iOS won't protect you against the many now patched security issues which are more serious than this one.

      • Steve47 in reply to Bob.

        October 25, 2016 at 5:12 pm #

        "Only extremely old devices can't handle the latest iOS 10".

        Well Bob my ipad is 4 years old. Do you call that extremely old. I do not. It has not "reached the end of its useful life". It works very well. If Microsoft stopped updating their operating systems after 4 years you can just imagine the crap that would come their way. But we are talking about Apple here – so that's okay.

        My Android phone has CM12 installed and I get regular / monthly updates. Not everyone buys – or should I say gets a "free" phone – from their mobile provider which is then locked to them for 2 years. Your advice to those that do not understand is to buy their phone and then have a sim only contract.

        • Bob in reply to Steve47.

          October 25, 2016 at 6:36 pm #

          @Steve47

          Microsoft are moving towards a policy of reducing the lifecycle of their software. They're making it more difficult for people to use older operating systems like Windows 7. There is "crap" going their way because of it but they're saying 'upgrade to Windows 10' because it's a rolling release.

          I agree that it's not ideal nor is it particularly environmentally friendly but supporting legacy or fragmented hardware isn't in Microsoft's long term interests. Microsoft are one of the only companies I can name who have very long support lifecycles. Even most Linux distributions are between 2 and 4 years for their Long Term Support releases.

          Do I call an iPad 4-years-old "extremely old"? Well yes, I do, in hardware terms.

          I don't know if that means you purchased it 4 years ago when it was just about to be superseded by a later model or if it was brand new and just released 4 years ago.

          With technology, particularly mobile devices like the iPad, it's very difficult to push out updates without significantly degrading the consumer experience. Apple have done it before and people thought they were trying to pull a fast one by encouraging users to buy a new device (because the upgrade had slowed the device to a snail's pace).

          Alternatively you can move towards a model whereby you have feature upgrades separate to security patches but that is more costly, more problematic and confusing for the end user.

          Will it stop you using your iPad? No, but you can't expect to receive free upgrades forever.

          However you purchase the device is irrelevant. It'd be perfect if Android was updated but the reality is they aren't.

          As Graham has already said the Google Pixel will almost certainly receive regular updates; most other manufacturers or networks delay (or refuse) to release updates.

          Would I recommend installing CM for most users? No.

          Some people will find it difficult, others will brick the device, hardware may be incompatible, the user experience isn't great, encryption of the phone is undermined, not all apps run seamlessly on CM and most importantly for many: it voids your warranty.

          Is CM good? Yes, to an extent and it receives regular updates, but it isn't for everybody.

    • David L in reply to George.

      October 25, 2016 at 5:05 pm #

      Hi George,

      If you only use the device for personal use and not at or for work, I wouldn't worry too much, so long as you are not using it in risky ways. Like connecting to insecure public wifi, or browsing porn site's, and are careful about not opening attachments in emails from strange sources, or one that look suspicious. Your chances of infection are very low. But, you should plan on getting a newer device that can receive and operate well with the newer updates. You can always by a refurbished device, or last year's flagship models, as they are much cheaper, just after the new models hit the shelves. If buying a used device on the internet, make sure it's from a reputable source, and go to a OEM store to have it checked out, then transfer your data to it from old device.Lots of ways to save money, but, do your homework first.

  3. Alan

    October 25, 2016 at 7:35 pm #

    Has this exploit been seen in the wild? Any way to verify it's presence, or use on a device?

    • Bob in reply to Alan.

      October 25, 2016 at 8:08 pm #

      There is no way to verify its presence and, yes, it has been found in the wild.

      • Derek in reply to Bob.

        October 26, 2016 at 5:36 pm #

        @Bob – can you provide any further information or URLs regarding instances of this being exploited in the wild?

        • Bob in reply to Derek.

          October 26, 2016 at 9:28 pm #

          I can provide you with a link Derek but I'm afraid you're going to have to wait a little while longer before details of its use and dissemination are made public.

          There's a period of time before disclosing this to the public at large until such a time that the majority of users have patched their devices.

          I will say this however – the underlying concept is already mitigated against by computer antivirus solutions so it's nothing new. This was just a slightly different way of deploying the hack in order to affect Apple devices. Real world infections ('in the wild') are out there at the minute but being used in a targeted manner.

          http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4673

Leave a Reply