Apple has fixed a series of high-risk vulnerabilities in iOS, including three that could lead to remote code execution, with the release of iOS 9.3.3.

One of those code-execution vulnerabilities lies in the way that iOS handles TIFF files in various applications. Researchers at Cisco’s TALOS team, who discovered the flaw, said that the vulnerability has a lot of potential for exploitation.

“This vulnerability is especially concerning as it can be triggered in any application that makes use of the Apple Image I/O API when rendering tiled TIFF images. This means that an attacker could deliver a payload that successfully exploits this vulnerability using a wide range of potential attack vectors including iMessages, malicious web pages, MMS messages, or other malicious file attachments opened by any application that makes use of the Apple Image I/O API for rendering these types of files,” Cisco TALOS said in a blog post.

“Furthermore, depending on the delivery method chosen by an attacker, this vulnerability is potentially exploitable through methods that do not require explicit user interaction since many applications (i.e. iMessage) automatically attempt to render images when they are received in their default configurations.”

This vulnerability affects OS X, as well as iOS. Another one of the remote code execution bugs, also discovered by Cisco, lies in the Core Graphics API, which is used in both iOS and OS X.

“The BMP file header contains information about the size, layout, and type of the image. A vulnerability exists within the way that the height property of an image is handled. This can be exploited when a specially crafted BMP image file is saved, then opened and part of the size information is manipulated. The exploit leads to an out of bounds write resulting in remote code execution when opened in any application using the Apple Core Graphics API,” Cisco’s researchers said.

In addition to the remotely exploitable vulnerabilities, Apple also patched a number of other serious bugs, including several memory corruption vulnerabilities in the kernel. Those could be used to execute arbitrary code with kernel privileges, but only by a local user.

The Apple security advisory also lists several patches for vulnerabilities in WebKit.