Google’s Project Zero security team shared their findings of a series of zero-click vulnerabilities that affected the iPhone and other Apple hardware.
The vulnerabilities were disclosed on the dedicated Project Zero blog, with the teams findings going into detail on just what this means for iPhone owners. The team at Project Zero found an issue in the multimedia processing ImageIO framework — which is present on all Apple systems including iOS, macOS, watchOS, and even tvOS. This is used to parse image files and image metadata.
When you receive an image file by text or email, ImageIO handles the parsing process to basically work out what the image file is. As this process is automated and doesn’t require any sort of user interaction, any malicious code concealed within the image means that hackers love to exploit this kind of security flaw.
By using a technique called “fuzzing,” the Google team tested just how the ImageIO framework handled incorrect image format processing. They found six vulnerabilities within ImageIO, and a further eight in a third-party image format OpenEXR.
The vulnerabilities could be exploited using third-party messaging apps, but rather that the apps themselves and the associated source code being the issue, it was at a system level. That meant the problem had to be resolved by Apple themselves.
The Google analysts promptly reported the bugs to Apple, which has seen all of the vulnerabilities patched through several OS updates. The ImageIO issues were fixed in January and April 2020, while the OpenEXR vulnerabilities have been fixed with its latest update 2.41.
It is likely that, given enough effort (and exploit attempts granted due to automatically restarting services), some of the found vulnerabilities can be exploited for RCE in a 0click attack scenario. Unfortunately it is also likely that other bugs remain or will be introduced in the future.
As such, continuous fuzz-testing of this and similar media format parsing code as well as aggressive attack-surface reduction, both in operating system libraries (in this case ImageIO) as well as messenger apps (by restricting the number of accepted image formats on the receiver) are recommended.
However, Samuel Groß, a researcher from the Project Zero team, claims that even though all of the issues that his team found have already been patched by Apple, some other vulnerabilities utilizing the same technique are still present with persistent malicious hackers. This means that these vulnerabilities could be exploited as further zero-click attacks on Apple devices such as the iPhone and associated hardware.
While no OS is completely secure at any one time, this issue points out the importance of keeping your devices up to date with the relevant security patches and OS updates to ensure you are always fully protected against those with malicious intents.
- [Update: ATAP] Google assembles 49,000 face shields to help its local community
- Alphabet reports Q1 2020 revenue of $41.16B, ‘significant slowdown in ad revenues’ in March
- Report: Google cutting marketing budgets by 50% for second half of 2020
Author: Damien Wilde.
Source: 9TO5Google