IE 11 is not supported. For an optimal experience visit our site on another browser.

One Photo Could Hack Your Apple Device; Experts Urge Users to Upgrade iPhones and Macs

Have you updated your iPhone or Mac OS lately? If not, a new security exploit could let an attacker into your iPhone or Mac with just one photo.
Apple iPhone 6
Apple iPhone 6
By Ben Popken

It's like "The Ring" for your iPhone: just viewing one texted photo could get it hacked.

Experts are urging Apple users to manually update their operating systems after Apple issued a patch for a new security exploit that could let a hacker take over their devices with a single image.

The photo could be on a website or sent by email. Or just an MMS text message. All the attacker would need to know is your cellphone number.

man using a cellular phone
A man checks on his phone at night.Getty Images

Security outfit Cisco Talos last week disclosed that they had found several "remote code execution vulnerabilities in Apple OS X related to processing image formats."

In other words, hackers could theoretically hide malicious instructions inside the code for a photo sent to you to launch an attack on your device. Specifically the risks were found in the popular "BMP" and "TIFF" image file formats.

If your operating system is earlier than 9.3.3 on iOS or earlier than 10.11.6 for OS X, it could be vulnerable.

To update on your iOS, go to Settings > General > Software Update. Tap "Download" and "Install." To update your desktop or laptop OS, click on the "Apple" menu and select "Software Update."

Talos researcher Tyler Bohan told Forbes the issue was “an extremely critical bug... the receiver of an MMS cannot prevent exploitation and MMS is a store and deliver mechanism, so I can send the exploit today and you will receive it whenever your phone is online."

But, "Given the speed and ease in which Apple users update," said Craig Williams, Senior Technical Leader for Cisco Talos, "the number of users that will remain open as a target are relatively small."

Apple declined to comment but in announcing its patch it cited the research by the Talos team and said the fix would resolve how "a remote attacker may be able to execute arbitrary code."

The attack is theoretical at this point and there have been no reports of it being used, so far.

"As more time passes from the patch publication date the risk of an exploit surfacing only increases, patch as soon as you can," said Williams.

The researchers gave advance notice of their findings to Apple, who issued a patch before the group made their discovery public.

And while the updates should hit your phone or computer by themselves at some point, experts say there's no benefit to being lazy.

Sophos security researcher Paul Ducklin described the issue in detail in a Facebook Live post:

"These aren't (so far as we know) zero-day bugs, which is where attacks start before a patch is available... so why not get one step ahead of the crooks?" Ducklin told NBC News.

Ben Popken

Ben Popken is a senior business reporter for NBC News.

close