Remote Code Execution With Image Files
An exploitable heap based buffer overflow exists in the handling of TIFF images on Apple OS X and iOS operating systems. A crafted TIFF document can lead to a heap based buffer overflow resulting in remote code execution. This vulnerability can be triggered via malicious web page, MMS message, iMessage or a file attachment delivered by other means when opened in applications using the Apple Image I/O API.
I was about to post that these exploits should be substantially mitigated by iOS sandboxing (you can get arbitrary code execution, but can’t get out of the exploited process’s sandbox without a second exploit), but then saw CVE-2016-4627 also in the 9.3.3 release notes, which is a local privilege escalation exploit that allows arbitrary code execution with kernel privileges.
It’s fixed in Mac OS X 10.11.6 and iOS 9.3.3.
