A serious vulnerability was discovered today with a common picture file type called “Tagged Image File Format, or TIFF. It is an older type of file, but you probaly have many of then somewhere in your computer right now. Every now and then, a new way to hack a computer is discovered before any bad guys figure it out. Thankfully, that happened in this case.
The vulnerability was reported yesterday by Tyler Bohan of Cisco Talos. He said:
The Tagged Image File Format (TIFF) is a file format that is popular with graphic artists, photographers and the publishing industry because of its ability to store images in a lossless format. TIFF was created to try to establish a common scanned image file format in the mid 1980s. Cisco Talos has discovered a vulnerability in the way in which the Image I/O API parses and handles tiled TIFF image files. When rendered by applications that use the Image I/O API, a specially crafted TIFF image file can be used to create a heap based buffer overflow and ultimately achieve remote code execution on vulnerable systems and devices.
Image files are an excellent vector for attacks since they can be easily distributed over web or email traffic without raising the suspicion of the recipient. These vulnerabilities are all the more dangerous because Apple Core Graphics API, Scene Kit and Image I/O are used widely by software on the Apple OS X platform.
Good news is: it’s already fixed. The catch is, you must run the latest update on every computer you own.
Take the next 5 minutes and do this: