A new major iOS bug affecting millions of iPads and iPhones has been uncovered recently and it could lead to stolen passwords or even total device control with just a single text. The bug could also lead to a compromised device by just visiting a malicious website.
Fortunately for iPhone and iPad users, an iOS update to fix the exploit is available now.
Apple quietly rolled out iOS version 9.3.3 to the public yesterday, bringing along performance enhancements, bug fixes and security patches to iPhones and iPads everywhere.
It is recommended that you update as soon as possible since a critical security fix is included to address a bug in the ImageIO system, which iOS uses to handle images.
According to Tyler Bohan of Cisco Talos, an attacker could exploit this bug by sending a carefully crafted Multimedia Message (MMS) or a text message with a Tagged Image File Format (TIFF). Once received, this exploit will then execute malicious code that can be used to steal stored passwords such as Wi-Fi and website credentials.
This is a vulnerability comparable to the massive Android Stagefright exploit discovered last year where a single text could let a hacker take total control of your device, the researcher warns. On this iOS exploit, however, total control requires a jailbroken device since iOS employs sandbox protection, which protects parts of the operating system from hackers.
The image exploit could also be executed via poisoned websites. All a user needs to do is use mobile Safari to visit a webpage loaded with the malicious code and it will be automatically executed.
Both attacks on iOS devices, via text MMS or Safari, are undetectable and requires no user interaction to execute.
The ImageIO exploit also works on all Apple operating systems including OS X and watchOS so users of devices utilizing these are advised to practice caution when opening emails and messages. More importantly, Macs running OS X don't have sandbox protection so this exploit could lead to a total compromise of a machine.
Other critical iOS security patches in 9.3.3 include a FaceTime fix to prevent an attacker from causing a supposedly terminated call to continue transmitting audio and a patch for a bug in CoreGraphics, the API for iOS' 2D graphics, which could lead to arbitrary code execution.
To update your iOS device now, tap Settings >> General >> Software Update. iOS 9.3.3 should be ready to Download and Install.
Do you want to read more about the security content of iOS 9.3.3? Then check out this Apple document that lists each fix.