Apple Patches Critical Image Preview Bug

John Lister's picture

Apple has patched a security flaw that could compromise phones and tablets just by users receiving a message. The exploit would use an attachment in iMessages but wouldn't require the user to click or open it.

It's a potentially very serious flaw though ironically that may be the saving factor for most ordinary users. Because it's so serious, experts believe it's most likely to be used for highly targeted attacks.

The bug was discovered by researchers at the University of Toronto, who say it's an example of "zero-click spyware". While they've seen similar attacks on Apple devices before, it's the first time they've been able to access the code used in the attack and analyze the tactics. (Source: citizenlab.ca)

Bogus Image Files Unlock Attack

According to the researchers, the attack involved messages with attached files that claimed to be GIF image files. In fact most were Photoshop (PSD) image files while others were PDF files.

The attack was highly technical, but in simple terms it took advantage of the way Apple devices turn the information in an image file and then actually display the image on the screen. In effect the attackers were able to manipulate the process to produce computer code that was much larger than the space Apple allocates for the operation. This code effectively "bursts through" into other parts of the device's memory.

Apple has confirmed the exploit could allow attackers to carry out arbitrary code execution. That's the holy grail for attackers as it means they can run malware directly on the device.

Attack Similar to Amazon CEO Jeff Bezos Hack

This type of attack is very similar to the one that affected Jeff Bezos (CEO of Amazon), which was also linked to Crown Prince Mohammed bin Salman. Around the same time, the Prince was also claimed to be responsible for Jamal Khashoggi's brutal death in which he was murdered for being dissident to the kingdom of Saudi Arabia. For those who are interested, refer to "The Dissedent" documentary on Netflix.

Mercenaries Behind Attack

The Toronto researchers say they found the attack evidence on the phone of a Saudi political rights activists. They say they are highly confident it's the work of an Israeli group called NSO. That group isn't thought to be politically motivated but rather act as "hackers for hire".

Apple's security update for the problem covers most iOS devices including phones and tablets dating back to around 2014. Most users should have iOS updates set to download and install automatically. Those who don't should certainly do this manually.

The closest thing to good news in this situation is that the way an attack works, including sending a message, means it's probably not efficient for attackers to use "spray and pay" tactics where they simply go after as many people as possible in the hope of increasing their success. Instead it's more likely they'll go after specific individuals who they either want to disrupt or access their personal data. (Source: bbc.co.uk)

What's Your Opinion?

Do you use Apple products? Do you have automatic updates switched on? Do you generally feel more secure using iOS than other systems?

Rate this article: 
Average: 5 (6 votes)

Comments

JeffRL's picture

Remember back in the day when Mac snobs were so damned smug with their claim that Apple systems were *never* hacked and *never* infected with viruses?

Welcome to the real world, Apple.