On Tuesday, Google revealed the discovery of a few bugs – now-patched – in Apple’s Image I/O, a multimedia processing framework included in the company’s platforms.
From an attacker’s perspective, bugs in multimedia processing components are the ideal attack surface, as they don’t need any user interaction before having the ability to run code on a remote device/OS. All an attacker has to do is find a way to send a malformed multimedia file to a device, wait until the file is processed, and until the exploit code triggers…
Project Zero researchers looked at Image I/O, a framework that’s built into all Apple operating systems and is tasked with parsing and working with image files. The framework ships with iOS, macOS, tvOS, and watchOS, and most apps running on these operating systems rely on it to process image metadata…
Researchers said they identified six vulnerabilities in Image I/O [1, 2, 3, 4, 5, 6], and another eight in OpenEXR, an open-source library for parsing EXR image files that ships as a third-party component with Image I/O… The research team said all the bugs are now fixed. The six Image I/O issues, received security updates in January and April, while the OpenEXR bugs were patched in v2.4.1.
MacDailyNews Take: Obviously, Apple will have to step up work (likely already has stepped up efforts) to make the attack surface of multimedia processing libraries much smaller.
Great that they were all patched before they were disclosed. There is really no problem then. So why is Google even mentioning them then?
I’m surprised you are even asking that question. 😁
Another “security exploit” that’s easily defeated by not downloading strange files from the internet or in your email.
Wrong! Cococansuck!
Thanks for awesome and insightful comment, That’s! That really adds a lot to the discussion.