Security researcher Lander Brandt has discovered a serious bug in the way iOS and OS X render images. It has the potential to instantly crash any iOS device or Mac, and can be utilized in a variety of easy ways.
Nefarious individuals can send a corrupted image file as an iMessage to another person, or in an email. They might put it online and direct users to the address. Brandt compares the bug to the CoreText bug of 2013, wherein sending a text message containing particular Arabic characters caused similar crashes – and became notorious as a prank.
The bug exploits the fact that iOS and OS X aren’t able to cope properly with PNG image files that have a 0 byte chunk within them. Brandt provides an example file at his website.
Because the buggy image file can be inserted just about anywhere, there’s the potential for nefarious individuals to quickly and easily cause havoc. Brandt lists the following example scenarios:
- Receiving the malicious image via text message with message previews turned on will crash SpringBoard on iOS
- Entering a message thread containing the image will crash the Messages app
- Opening an email containing the image will crash the mail client
- Posting a link to the image will crash some third-party Twitter clients which try to load the image
- Visiting a page containing the image will crash Safari’s content renderer
Brandt was able to upload the image to image hosting services like Imgur, although Facebook and Twitter both convert the image to JPEG and therefore removed the errant 0-byte chunk.
Brandt informed Apple of the bug in mid-December last year and received an acknowledgement as well a promise that the bug would be fixed. However, the recent release of updates to Apple’s operating systems have not fixed the bug. The last Brandt heard was on Mar 22, 2016 when Apple stated a fix was again “in progress”.
Mac Kung Fu tested the bug and it did indeed crash Safari on iOS. We were unable to test the bug within Messages because of the impossibility of inserting it into a message without causing a crash. However, an Android user or Windows Phone user unaffected by the bug would be able to easily exploit it in order to prank their iPhone-owning friends.
At the present time there’s little users can do to protect themselves against the bug until Apple issues a fix. Even more worryingly, it’s possible hackers might exploit the bug to run remote code on the affected iOS devices and Macs. If we hear anything of this nature we’ll be sure to let you know.
(Mac Kung Fu frequently breaks stories like this long before the mainstream press or other Apple/tech blogs. Follow us on Twitter.)