Google discloses zero-click bugs impacting all Apple platforms
Google on Tuesday revealed the discovery of a handful of now-patched bugs in Apple's Image I/O, a multimedia processing framework vital to the company's platforms.
Discovered by Google's Project Zero team, and outlined in a publication on Tuesday, the Image I/O flaws are ripe candidates for zero-click attack vectors, reports ZDNet.
Image I/O ships with iOS, macOS, watchOS and tvOS, meaning the flaws were present on each of Apple's major platforms.
As noted in Google's disclosure, the Image I/O problems harken back to relatively well known issues surrounding image format parsers. These specialized frameworks are ideal for hackers, as malformed multimedia assets, if allowed to process, typically have the ability to run code on a target system without user interaction.
Project Zero poked at Image I/O using a process called "fuzzing" to see how the framework responded to malformed image files. The technique was selected because Apple restricts access to a majority of the tool's source code.
Google researchers successfully teased out six vulnerabilities in Image I/O and another eight in OpenEXR, a third-party "high dynamic-range (HDR) image file format" that is exposed through Apple's framework.
"It is likely that, given enough effort (and exploit attempts granted due to automatically restarting services), some of the found vulnerabilities can be exploited for [remote code execution] in a 0click attack scenario," writes Samuel Gro, security researcher at Project Zero.
Gro recommends Apple perform continuous "fuzz-testing" as well as "aggressive attack-surface reduction" in operating system libraries and messenger apps, another popular avenue for multimedia-based attacks. The latter tactic would reduce compatible file formats in the name of security.
Apple fixed the six Image I/O flaws in security patches pushed out in January and April, according to the report.
Discovered by Google's Project Zero team, and outlined in a publication on Tuesday, the Image I/O flaws are ripe candidates for zero-click attack vectors, reports ZDNet.
Image I/O ships with iOS, macOS, watchOS and tvOS, meaning the flaws were present on each of Apple's major platforms.
As noted in Google's disclosure, the Image I/O problems harken back to relatively well known issues surrounding image format parsers. These specialized frameworks are ideal for hackers, as malformed multimedia assets, if allowed to process, typically have the ability to run code on a target system without user interaction.
Project Zero poked at Image I/O using a process called "fuzzing" to see how the framework responded to malformed image files. The technique was selected because Apple restricts access to a majority of the tool's source code.
Google researchers successfully teased out six vulnerabilities in Image I/O and another eight in OpenEXR, a third-party "high dynamic-range (HDR) image file format" that is exposed through Apple's framework.
"It is likely that, given enough effort (and exploit attempts granted due to automatically restarting services), some of the found vulnerabilities can be exploited for [remote code execution] in a 0click attack scenario," writes Samuel Gro, security researcher at Project Zero.
Gro recommends Apple perform continuous "fuzz-testing" as well as "aggressive attack-surface reduction" in operating system libraries and messenger apps, another popular avenue for multimedia-based attacks. The latter tactic would reduce compatible file formats in the name of security.
Apple fixed the six Image I/O flaws in security patches pushed out in January and April, according to the report.
Comments
It is common practice within the security field for the org/team that submitted the security vulnerabilities to publish their findings after the vendor patches said vulnerabilities - nothing nefarious going on here ...
prove the vulnerability exists
inform the company that owns the platform
give the company ample time to fix the problem
publish the problem so other security, OS and app developers can learn from the discovery.
Project Zero releases details of massive vulnerability in Android that was exploited in the Wild:
https://www.zdnet.com/article/google-finds-android-zero-day-impacting-pixel-samsung-huawei-xiaomi-devices/
Project Zero releases details of vulnerability in Windows:
https://arstechnica.com/information-technology/2019/08/a-look-at-the-windows-10-exploit-google-zero-disclosed-this-week/
The reason that you don't hear about them is because the IT Press knows it can get more ad clicks per word if they just focus on Apple. No one cares about vulnerabilities in Windows or Android because everyone sort of expects it, none of which has anything to do with the valuable work that Project Zero is doing.
Well, you'd have to ask Apple that, because it's really not in Project Zero's remit to plan Apple's resourcing. I suspect the reason is that Apple's work does not cover as many platforms as Google's, so there is no need for them to test vulnerabilities on platforms other than their own.
Apple is free to research GOO as any other - but seems busy with fixing their own bugs...
Your vision on propaganda seems asymmetric
The process of disclosing security flaws is well outlined and nothing new - one is hearing about these because this is an Apple-related news site. Similar disclosures occur for a range of other platforms, including their own:
If you like, here is Apple's own disclosure of the same bugs, these were disclosed well before ZDnet's article:
https://support.apple.com/en-us/HT210918
case In point: Android. Less an OS and more a malware and hacker Petri dish.
the artist is where the true glory goes. Not the person looking at the art.
they earned that much
andits good to be aware of such truths.
[shakes head ... experiences motion sickness]