iOS and OS X are pretty well secure but zero risk does not exist and that is precisely what this story proves. Tylan Bohan, a security researcher working for Talos, has indeed discovered a new flaw affecting the brand's mobile platform, a flaw allowing a malicious person to steal the password of an iPhone from an MMS or an iMessage.
How? 'Or' What ? By developing a malicious program, embedding it in a TIFF image and then sending it through a simple multimedia message.
When the person receives the message on their phone, the code will be executed automatically without the user's knowledge.
A flaw that affects the iPhone and Macs
And then ? It will suffice for it to exploit a security vulnerability located in the API managing image data ( ImageIO ) to access the content of the terminal and to get its hands on the most sensitive data. Like the user's password.
Not terrible, then, but it is not finished because Macs can also be affected.
By carrying out his investigation further, the security researcher has indeed discovered that this flaw also affects Safari. The worst is yet to come because in this case, the hacker only needs to integrate his script into a web page to infect his target's computer.
Tylan Bohan didn't mince his words. In his eyes, this flaw is comparable to Stagefright and it is extremely dangerous because it offers direct access to all the user's sensitive information. Information such as the password for his session, for example, or his WiFi access and the identifiers of all the sites and services used by him.
The patch is available, you will have to update your machines
However, iPhones are less exposed because iOS incorporates a sandbox system in order to partition all the information related to the various processes running on the terminal.
OS X does not offer such protection, however.
There is still good news in the story. Apple has fixed the flaw in the latest versions of iOS and OS X. So all you have to do is install iOS 9.3.3, Mavericks 10.9.5, Yosemite 10.10.5 or El Capitan 10.11.6 to correct it and remove it at the same time. this vulnerability.
Needless to say, it will be better to do it as soon as possible to avoid unpleasant surprises.