Google discloses zero-click bugs impacting all Apple platforms

Posted:
in General Discussion edited April 2020
Google on Tuesday revealed the discovery of a handful of now-patched bugs in Apple's Image I/O, a multimedia processing framework vital to the company's platforms.

Hack


Discovered by Google's Project Zero team, and outlined in a publication on Tuesday, the Image I/O flaws are ripe candidates for zero-click attack vectors, reports ZDNet.

Image I/O ships with iOS, macOS, watchOS and tvOS, meaning the flaws were present on each of Apple's major platforms.

As noted in Google's disclosure, the Image I/O problems harken back to relatively well known issues surrounding image format parsers. These specialized frameworks are ideal for hackers, as malformed multimedia assets, if allowed to process, typically have the ability to run code on a target system without user interaction.

Project Zero poked at Image I/O using a process called "fuzzing" to see how the framework responded to malformed image files. The technique was selected because Apple restricts access to a majority of the tool's source code.

Google researchers successfully teased out six vulnerabilities in Image I/O and another eight in OpenEXR, a third-party "high dynamic-range (HDR) image file format" that is exposed through Apple's framework.

"It is likely that, given enough effort (and exploit attempts granted due to automatically restarting services), some of the found vulnerabilities can be exploited for [remote code execution] in a 0click attack scenario," writes Samuel Gro, security researcher at Project Zero.

Gro recommends Apple perform continuous "fuzz-testing" as well as "aggressive attack-surface reduction" in operating system libraries and messenger apps, another popular avenue for multimedia-based attacks. The latter tactic would reduce compatible file formats in the name of security.

Apple fixed the six Image I/O flaws in security patches pushed out in January and April, according to the report.

Comments

  • Reply 1 of 20
    rob53rob53 Posts: 2,465member
    Already fixed so why did Google bring it up?
    buttesilverqwerty52watto_cobra
  • Reply 2 of 20
    Exactly. "Oh look, Apple sucks and we're here to show them how it's done". Yeah, remember /var google???
    rob53 said:
    Already fixed so why did Google bring it up?
    watto_cobra
  • Reply 3 of 20
    dkddkddkddkd Posts: 12member
    rob53 said:
    Already fixed so why did Google bring it up?

    It is common practice within the security field for the org/team that submitted the security vulnerabilities to publish their findings after the vendor patches said vulnerabilities - nothing nefarious going on here ...
    CloudTalkindewmechasmdysamoriamaltznetroxbonobobmichelb76svanstromtommy65
  • Reply 4 of 20
    chasmchasm Posts: 2,322member
    I truly admire the fine work of the Google Project Zero team, but I do wish a few of them could turn their focus a little harder to the malware-ridden security nightmare that is Android. You'll notice that no federal agency has EVER complained that Google won't give them access to a phone they want to sift through ... just sayin'.
    svanstromtommy65PetrolDaveqwerty52cincyteewatto_cobra
  • Reply 5 of 20
    dysamoriadysamoria Posts: 3,128member
    Exactly. "Oh look, Apple sucks and we're here to show them how it's done". Yeah, remember /var google???
    rob53 said:
    Already fixed so why did Google bring it up?
    Why are you guys so defensive? This is standard practice. It’s no kind of attack on Apple.
    maltzbonobobmichelb76svanstrommuthuk_vanalingamCloudTalkinrepressthis
  • Reply 6 of 20
    Rayz2016Rayz2016 Posts: 6,669member
    rob53 said:
    Already fixed so why did Google bring it up?
    Because this is the agreed practice in the discovery of attack vectors:

    prove the vulnerability exists
    inform the company that owns the platform
    give the company ample time to fix the problem
    publish the problem so other security, OS and app developers can learn from the discovery. 


    bonobobbala1234michelb76tommy65PetrolDavemuthuk_vanalingamCloudTalkinbeowulfschmidtMplsPneilm
  • Reply 7 of 20
    mcdavemcdave Posts: 1,571member
    Rayz2016 said:
    rob53 said:
    Already fixed so why did Google bring it up?
    Because this is the agreed practice in the discovery of attack vectors:

    prove the vulnerability exists
    inform the company that owns the platform
    give the company ample time to fix the problem
    publish the problem so other security, OS and app developers can learn from the discovery. 
    So extortive propaganda then. Where’s the Apple team picking holes in Google?
  • Reply 8 of 20
    michelb76michelb76 Posts: 213member
    So extortive propaganda then. Where’s the Apple team picking holes in Google? Have you even read up on Project Zero at all? That whole 'us vs them' mentality is such a problem in your country.
    edited April 2020 muthuk_vanalingamMplsP
  • Reply 9 of 20
    tommy65tommy65 Posts: 56member
    Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities, the secret hackable bugs that are exploited by criminals, state-sponsored hackers, and intelligence agencies. It was announced on 15 July 2014. Check the corresponding website if you want to know what it is all about. Googleprojectzero.blogspot.com
    edited April 2020 PetrolDavemuthuk_vanalingamCloudTalkin
  • Reply 10 of 20
    Rayz2016Rayz2016 Posts: 6,669member
    chasm said:
    I truly admire the fine work of the Google Project Zero team, but I do wish a few of them could turn their focus a little harder to the malware-ridden security nightmare that is Android. You'll notice that no federal agency has EVER complained that Google won't give them access to a phone they want to sift through ... just sayin'.
    mcdave said:
    Rayz2016 said:
    rob53 said:
    Already fixed so why did Google bring it up?
    Because this is the agreed practice in the discovery of attack vectors:

    prove the vulnerability exists
    inform the company that owns the platform
    give the company ample time to fix the problem
    publish the problem so other security, OS and app developers can learn from the discovery. 
    So extortive propaganda then. Where’s the Apple team picking holes in Google?

    Project Zero releases details of massive vulnerability in Android that was exploited in the Wild:

    https://www.zdnet.com/article/google-finds-android-zero-day-impacting-pixel-samsung-huawei-xiaomi-devices/

    Project Zero releases details of vulnerability in Windows:

    https://arstechnica.com/information-technology/2019/08/a-look-at-the-windows-10-exploit-google-zero-disclosed-this-week/

    The reason that you don't hear about them is because the IT Press knows it can get more ad clicks per word if they just focus on Apple. No one cares about vulnerabilities in Windows or Android because everyone sort of expects it, none of which has anything to do with the valuable work that Project Zero is doing.

    So extortive propaganda then. Where’s the Apple team picking holes in Google?

    Well, you'd have to ask Apple that, because it's really not in Project Zero's remit to plan Apple's resourcing. I suspect the reason is that Apple's work does not cover as many platforms as Google's, so there is no need for them to test vulnerabilities on platforms other than their own.

    edited April 2020 gatorguymuthuk_vanalingambageljoeyCloudTalkincincyteelkruppdysamoriapscooter63
  • Reply 11 of 20
    tommy65tommy65 Posts: 56member
    Apple’s focus on security for its clients base is a good thing. The sooner exploits are fixed the better. And yes it is a good behavior of Google not to address exploits to the public before a patch is applied.
    edited April 2020
  • Reply 12 of 20
    michelb76 said:

    So extortive propaganda then. Where’s the Apple team picking holes in Google? Have you even read up on Project Zero at all? That whole 'us vs them' mentality is such a problem in your country. 

    Apple is free to research GOO as any other - but seems busy with fixing their own bugs...
    Your vision on propaganda seems asymmetric
    edited April 2020 muthuk_vanalingamdysamoria
  • Reply 13 of 20
    qwerty52qwerty52 Posts: 271member
    dkddkd said:
    rob53 said:
    Already fixed so why did Google bring it up?

    It is common practice within the security field for the org/team that submitted the security vulnerabilities to publish their findings after the vendor patches said vulnerabilities - nothing nefarious going on here ...
    “It's usually the practice”...... to control primary iOS! And what about Android? Ironically enough: the maker of Android controls the maker of iOS for vulnerabilities in the OS. It's ridiculous......
  • Reply 14 of 20
    EsquireCatsEsquireCats Posts: 1,105member
    If you think this is controversial, read on...

    The process of disclosing security flaws is well outlined and nothing new - one is hearing about these because this is an Apple-related news site. Similar disclosures occur for a range of other platforms, including their own:

    If you like, here is Apple's own disclosure of the same bugs, these were disclosed well before ZDnet's article:
    https://support.apple.com/en-us/HT210918

    edited April 2020 muthuk_vanalingamCloudTalkinkududysamoriapscooter63
  • Reply 15 of 20
    avon b7avon b7 Posts: 5,595member
    qwerty52 said:
    dkddkd said:
    rob53 said:
    Already fixed so why did Google bring it up?

    It is common practice within the security field for the org/team that submitted the security vulnerabilities to publish their findings after the vendor patches said vulnerabilities - nothing nefarious going on here ...
    “It's usually the practice”...... to control primary iOS! And what about Android? Ironically enough: the maker of Android controls the maker of iOS for vulnerabilities in the OS. It's ridiculous......
    This team is there to seek out nasty bugs for the greater good of everyone. You are jumping to the wrong conclusions. As an aside, Apple was late to offer a bug bounty programme which IMO had hampered efforts to discover serious flaws. By how much, I can't say but the more flaws that get discovered and patched, the better for everyone. 
    muthuk_vanalingamCloudTalkinMplsPdysamoria
  • Reply 16 of 20
    There is no perfect system, only Theo going right for better. 

    Apple has been waging that war. 

    It’s incalculably easier to find a flaw in someone’s work than iris to create a similar thing 

    case In point: Android. Less an OS and more a malware and hacker Petri dish. 

    Can google dig long enough and deep enough toting fleas in apples work? Apparently so. 

     But a discovery is like looking at a museum masterpiece you look over it and critically analyze it and there will be flaws. But a criticism a dime a dozen. Literally everyone is a critic. 

    There is only one michealsngelo. One divinci. Etc. 

    the artist is where the true glory goes. Not the person looking at the art. 

     There is no glory in team zeros work. They toilaway looking at someone else’s masterpiece in order to find the inevitable flaws. It is necessary and helpful.  But it’s not even at the base of the mountain that is the Creation Of the thing they are dissecting. 

    So AFTER the hole is patched, we can allow them to crow about it a little

    they earned that much 

    andits good to be aware of such truths. 

    What it doesn’t mean is that this somehow this puts Apple in a bad light or elevates google to Apple status somehow. 

    After all. Google tried their and at creating a masterpiece. It’s so art at they can only give it away for free. Not only that, but their partners prefer to paint over it anyway. 

    In the end, apples greatness is greater and a distant also-ran gets to say that though they can’t compete, at least Apple is not totally perfect. And maybe, just maybe... they get a cookie too. 
    watto_cobra
  • Reply 17 of 20
    MplsPMplsP Posts: 2,883member
    For all the complainers- believe it or not, most security researchers don’t view these bugs as a competition between platforms. They view it as a competition between the good guys and the bad guys. Every time a security hole is found in one platform, people learn from it and use the knowledge to prevent the same type of hole from happening again.  You can be sure if someone finds a hole in Android they will look for the same type of problem in iOS and vice versa.  That benefits us all.
    dysamoriapscooter63watto_cobra
  • Reply 18 of 20
    dewmedewme Posts: 3,409member
    dkddkd said:
    rob53 said:
    Already fixed so why did Google bring it up?

    It is common practice within the security field for the org/team that submitted the security vulnerabilities to publish their findings after the vendor patches said vulnerabilities - nothing nefarious going on here ...
    Yes indeed. Thank you Google for doing this the right way. 
    kudu
  • Reply 19 of 20
    lkrupplkrupp Posts: 8,890member
    Rayz2016 said:

    The reason that you don't hear about them is because the IT Press knows it can get more ad clicks per word if they just focus on Apple. No one cares about vulnerabilities in Windows or Android because everyone sort of expects it, none of which has anything to do with the valuable work that Project Zero is doing.


    Bingo! Android and Windows security breaches can’t generate the outrage and condescension that Apple bugs do, so the tech media reports those in passing with almost no commentary. But when it’s Apple, let the dog and pony show begin. Apple flaws even make it to NBC’s nightly news. When’s the last time Lester Holt did a segment on Android’s flaws? 

    That being said Apple brought this on themselves with all their chest thumping and virtue signaling about security, privacy. On the Apple Discussion Forums there are still long time members who answer questions about anti-virus software by declaring “There are no viruses for macOS” or “Your iPhone cannot be hacked”. As we all know by now that’s whistling past the graveyard. 
  • Reply 20 of 20
    dysamoriadysamoria Posts: 3,128member
    mcdave said:
    Rayz2016 said:
    rob53 said:
    Already fixed so why did Google bring it up?
    Because this is the agreed practice in the discovery of attack vectors:

    prove the vulnerability exists
    inform the company that owns the platform
    give the company ample time to fix the problem
    publish the problem so other security, OS and app developers can learn from the discovery. 
    So extortive propaganda then. Where’s the Apple team picking holes in Google?
    [rolls eyes ... across floor]

    [shakes head ... experiences motion sickness]

Sign In or Register to comment.