Google discloses zero-click bugs impacting many Apple operating systems

On Tuesday, Google revealed the discovery of a few bugs – now-patched – in Apple’s Image I/O, a multimedia processing framework included in the company’s platforms.

Catalin Cimpanu for ZDNet:

Apple  bugsFrom an attacker’s perspective, bugs in multimedia processing components are the ideal attack surface, as they don’t need any user interaction before having the ability to run code on a remote device/OS. All an attacker has to do is find a way to send a malformed multimedia file to a device, wait until the file is processed, and until the exploit code triggers…

Project Zero researchers looked at Image I/O, a framework that’s built into all Apple operating systems and is tasked with parsing and working with image files. The framework ships with iOS, macOS, tvOS, and watchOS, and most apps running on these operating systems rely on it to process image metadata…

Researchers said they identified six vulnerabilities in Image I/O [1, 2, 3, 4, 5, 6], and another eight in OpenEXR, an open-source library for parsing EXR image files that ships as a third-party component with Image I/O… The research team said all the bugs are now fixed. The six Image I/O issues, received security updates in January and April, while the OpenEXR bugs were patched in v2.4.1.

MacDailyNews Take: Obviously, Apple will have to step up work (likely already has stepped up efforts) to make the attack surface of multimedia processing libraries much smaller.

5 Comments

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.