Researchers have revealed two security loopholes on iPhones that allowed the execution of a malicious code as soon as a user played a song. The bug allowed attackers to hide exploits in .M4A audio files and bypass security while taking advantage of the lack of proper validation of the length of user-supplied data on iOS 10.3. Apple has issued a patch for the vulnerabilities.

Like Us on Facebook

An anonymous hacker working with the Trend Micro's Zero Day Initiative (ZDI) disclosed the bugs. Defined as a memory corruption flaw, the bugs also affect Apple TV and watchOS. Apple said it had addressed the problem with an "improved input validation."

The problem is similar to an earlier exploit of Google's Android operating system that was revealed in 2015 when researchers discovered that they could hide exploit code in MP3s and MP4s. The problems came from the way Android processed metadata within music files. This time, however, the problem was only with MP4s (specifically .M4A audio files).

Among other fixes, Apple released the iOS 10.3.1 with a fix for an issue that meant an attacker within range could have executed malicious code on the phone's Wi-Fi chip. Google's Project Zero staffer Gal Beniamini, who discovered the bug, did not provide more information on what the attack entailed.

Apart from patching this critical weakness, Apple had to patch eighty-two more separate vulnerabilities in iOS 10.3 last week, the most alarming of which was a hack that required the user to just view a JPEG image for a malicious code to run, the issue was also revealed by an anonymous researcher via the Zero Day Initiative.

The new iOS is now shipping with the new and encrypted Apple File System (APFS), which makes it harder for hackers and police forensics teams to grab data in plain text from iPhones.