Malicious JPEGs can compromise your iPhone
A vulnerability in the iOS CoreGraphics component allows attackers to compromise iDevices by tricking victims into viewing a maliciously crafted JPEG file.
The good news is that the existence of the bug (CVE-2016-4673) was not revealed through in-the-wild attacks, but was found and responsibly disclosed by security researcher Marco Grassi of Tencent’s Keen Lab.
Apple has pushed out a patch for it in the iOS security update released on Monday. The patch is also included in the updates for watchOS, tvOS and macOS, which were released on the same day.
The iOS update also fixes an issue in the Address Book, which allows an application to maintain access to the Address Book after access is revoked in Settings, as well as several other bugs that can be exploited by the user viewing maliciously crafted web content or through a maliciously crafted font file.
Finally, it also includes fixes for a design issue at the core of the XNU kernel which powers iOS, which could lead to unexpected system termination or arbitrary code execution in the kernel.
The problem was discovered in February by Ian Beer of Google Project Zero, and the it has also been fixed in the macOS update.
All in all, these security updates are very important, so if you own a device or computer made by Apple, you would be wise to implement them as soon as possible.
As a sidenote: only a few days after the updates were released, the Tencent Keen Lab team demonstrated complete and partial exploits of bugs that still exist in the latest iOS version.
The exploits were demonstrated at the Mobile Pwn2Own 2016 hacking contest, and you can be sure that Apple will be working on fixing them quickly.
The users’ job is to help themselves by implementing security updates as soon as they are made available.