Next time someone sends a song to your iPhone, maybe consider if the sender is trustworthy. Apple killed two vulnerabilities with iOS 10.3 that allowed malicious code to run as soon as an audio file ran on its phones.
An anonymous hacker working with Trend Micro’s Zero Day Initiative (ZDI) disclosed the bugs, which affects Apple TV and watchOS too. Defined as a memory corruption flaw, Apple said it had addressed the problem with “improved input validation.” For undisclosed reasons, ZDI wasn’t permitted to talk about the bugs until today.
It appears to be similar to an exploit of Google’s Android operating system back in 2015, when researchers discovered they could hide exploit code in MP3s and MP4s. The problems derived from the way Android processed metadata within music files.