Remember Stagefright?

Stagefright was one of 2015’s most newsworthy BWAINs (Bugs with an Impressive Name): a security hole, or more accurately a cluster of holes, in Android’s libstagefright multimedia software component.

Multimedia objects such as images, video and audio are often stored in files with complex formats.

That, in turn, means lots of clever programming to read them in, decode them, decompress them into memory and prepare them for display.

And, as you probably know only too well, the more complex a program gets; the more calculations it needs to do based on numbers extracted from untrusted files; the more it needs to mess around allocating and deallocating memory and shuffling data between memory buffers…

…the more likely it is that some sort of buffer overflow or integer overflow bug will show up.

Not all vulnerabilities can be turned into working exploits, where crooks can send deliberately-crafted files that not only crash the offending code but also wrangle control from it in the process.

But overflow vulnerabilites that can be exploited often turn into full-blown RCEs, or remote code execution flaws, which means not only that crooks can trick buggy software into running unauthorised program code, but also that they can do so using content sent from afar.

Image rendering bugs are particularly dangerous when they are “weaponised” into RCEs, because so many of the images we receive these days are processed and displayed automatically as an expected part of some other innocent activity.

That’s why Android’s series of Stagefright bugs caused widespread alarm (more alarm than was needed, fortunately), because apps that auto-render and auto-display images include:

  • Messaging apps. Text messages contain only text, but messages sent using MMS (the mobile phone network’s multimedia messaging system) usually link directly to image files, which are pulled down and processed automatically by the messaging software.
  • Email clients. Email attachments are easy enough to open by mistake, but they require an extra tap after reading the message in the first place. Inline images simply appear as part of the message, so just reading an email containing images may be enough for an attack to succeed.
  • Browsers. Modern web pages typically contain anywhere from tens to hundreds of images, all of which are processed, scaled and put into the page that gets displayed.

The bad news in all of these cases is that the sender gets to decide what images are included, as well as what format they are in.

In other words, even if there’s an unusual bug in an abstruse image format you’ve never used yourself, the sender can pick that format, and the app does the work of figuring what program code to use to process it, and how to display it on screen.

MMSes are a particularly nasty problem here: the sender can push messages to your device any time, and most messaging apps automatically pre-fetch the images they link to, ready for later.

With a website, you can always decide not to visit it at all; with emails you can at least delete unknown emails from your inbox without opening them first, giving you a fighting chance of avoiding suspicious and unwanted content.

But MMSes are generally “just there,” ready and waiting, so as soon as you look at your list of messages, any booby-trapped images sent to you have already had their chance.

Stagefright on Macs and iPhones

Well, it seems that Stagefright has come to Macs and iPhones, after a fashion.

In Apple’s recent security updates for OS X (10.11.6) and iOS (9.3.3), some of the patched bugs are listed like this:

ImageIO

Impact: A remote attacker may be able to execute arbitrary code

Description: Multiple memory corruption issues were addressed through improved memory handling.

Four different bugs (CVE-2016-1850, CVE-2016-4629, CVE-2016-4630, CVE-2016-4631) were fixed; the “biggie” is CVE-2016-4631.

Loosely speaking, Apple’s ImageIO is its equivalent of Google’s libstagefright.

According to security researcher Tyler Bohan of Cisco Talos: the CVE-2106-4631 bug occurs in the handling of TIFF images; the faulty code affects both OS X and iOS; and the bug has been around for ages.

The bottom line, therefore, is that your iDevice or Mac is almost certainly vulnerable if you haven’t installed the very latest update yet.

(We sometimes hear from people who naively assume that once they get really out date, for example by sticking with Windows XP, even their exploitable vulnerabilities go stale and out of fashion; not so here, according to Bohan.)

In theory, then, now the CVE-2016-4631 hole is known, and the crooks have hints on where to start looking to find a working exploit, there’s a real risk of OS X and iOS malware or data-stealing attacks that can be triggered by messages or emails.

Even if iOS malware were to take over just your Messaging app, and be constrained by iOS’s sandboxing to messaging data only, you could have plenty of personal information at stake.

What to do?

  • Patch early, patch often. That may one of our truisms, but truisms get to be truisms precisely because they’re true!
  • Consider turning off MMS messaging. If you don’t use MMSes (I haven’t received one for ages), you can turn them off altogether on iOS in Settings | Messages.