SOURCE: Bishop Fox

Bishop Fox

April 08, 2016 10:30 ET

Bishop Fox Researchers Discover Critical Vulnerability in Apple OS X Messages Application

The Bug, CVE-2016-1764, Was Patched by Apple Following Researchers' Disclosure

SAN FRANCISCO, CA--(Marketwired - Apr 8, 2016) - Researchers from the cybersecurity consulting firm Bishop Fox and the Uber Security Team recently found a high risk security issue in the Messages for OS X application from Apple.

The vulnerability allowed an attacker to steal a victim's message history in addition to any message attachments. These attachments could include personal photos, videos, and any other media ever sent by the victim.

"It would have been a devastating attack for anyone to experience," said Joe DeMesy, a security associate at Bishop Fox who is one of the three researchers responsible for the finding. "Think about what you usually send to your friends and family via message. Private photos, personal information, all kinds of content you wouldn't want to fall into the wrong hands."

An attacker could exploit this vulnerability by sending a malicious message to a victim, which could be manipulated to appear as if it came from a trusted source. The message would contain a link that, when clicked by the victim, would give the attacker access to the victim's messages and attachments almost instantly.

Also responsible for identifying the vulnerability were Shubham Shah, a senior security analyst at Bishop Fox and Matthew Bryant, an application security engineer at Uber who previously worked at Bishop Fox.

The researchers disclosed their finding to Apple, and the parties worked together to quickly remediate the issue. Apple developed a patch, which can be found in the software update released by Apple on March 21, 2016.

"Apple was responsive from the start and kept the lines of communication open throughout the disclosure process," said Carl Livitt, a partner at Bishop Fox.

If you are one of the many Messages for OS X users and have yet to update your software to the newest version, both Apple and Bishop Fox advise doing so immediately.

Additional technical information on how Bishop Fox found and exploited this vulnerability can be found here, and this video demonstrates the attack in action. Please also see Apple's official write-up on the OS X El Capitan v10.11.4 and Security Update 2016-002 security update.

About Bishop Fox

Bishop Fox is an independent cybersecurity firm that protects businesses from today's increasing security threats. Since 2005, the firm has provided assessment and penetration testing and enterprise security consulting services to the world's leading organizations.

Contact Information