“This is very high severity issue,” Craig Williams, senior technical lead and head of global outreach at Cisco Talos, the networking giant’s threat intelligence division, told Fortune on a call. “The fact that you have an exploit without any user interaction makes me very concerned.”
The issues affect ImageIO, a programming interface that reads and writes image data. Here’s how an exploit could work: If an attacker were to send someone a booby-trapped multimedia message (MMS), for example, containing malicious code in a “tagged image file format” (abbreviated as TIFF, a format like JPEG or PNG), then the code would start executing as soon as it was received.
Ultimately, an attack could give a hacker access to portions of a computer’s memory, which could contain sensitive information, such as passwords and login credentials, Williams said. The issues affect recent versions of iPhone’s iOS, Mac’s OS X El Capitan, Apple TV’s tvOS, and Apple Watch’s watchOS software. (See the linked pages for more information, as well as this technical post on the Cisco Talos blog.)
“An attacker could send a thousand iMessages to victims and the second they turn their phones on they’re infected,” Williams added. In this way, the flaws recall the Stagefright vulnerabilities that affected Google’s GOOG 0.56% Android software last year—although the Android issues were more severe since they remained effectively unpatched for longer and gave hackers greater control over affected devices.
A word of advice? Patch up. “Exploitation wise, Talos estimates there is about a two-week effort to get from the information we disclosed publicly to a fully working exploit with a decent amount of reliability,” Tyler Bohan, the security researcher at Cisco Talos who uncovered and reported the bug, told Forbes Tuesday.
Another reason to patch up pronto: Another bug affecting Apple software—this one discovered by a Salesforce security engineer—lets snoops eavesdrop on FaceTime calls. The newly issued iOS 9.3.3 fixes that problem, too.
As with any security fixes, people “should apply the patch immediately,” Williams said.