Google on Tuesday revealed the discovery of a handful of now-patched bugs in Apple's Image I/O, a multimedia processing framework vital to the company's platforms.
Discovered by Google's Project Zero team, and outlined in a publication on Tuesday, the Image I/O flaws are ripe candidates for zero-click attack vectors, reports ZDNet.
Image I/O ships with iOS, macOS, watchOS and tvOS, meaning the flaws were present on each of Apple's major platforms.
As noted in Google's disclosure, the Image I/O problems harken back to relatively well known issues surrounding image format parsers. These specialized frameworks are ideal for hackers, as malformed multimedia assets, if allowed to process, typically have the ability to run code on a target system without user interaction.
Project Zero poked at Image I/O using a process called "fuzzing" to see how the framework responded to malformed image files. The technique was selected because Apple restricts access to a majority of the tool's source code.
Google researchers successfully teased out six vulnerabilities in Image I/O and another eight in OpenEXR, a third-party "high dynamic-range (HDR) image file format" that is exposed through Apple's framework.
"It is likely that, given enough effort (and exploit attempts granted due to automatically restarting services), some of the found vulnerabilities can be exploited for [remote code execution] in a 0click attack scenario," writes Samuel GroÃ, security researcher at Project Zero.
Groà recommends Apple perform continuous "fuzz-testing" as well as "aggressive attack-surface reduction" in operating system libraries and messenger apps, another popular avenue for multimedia-based attacks. The latter tactic would reduce compatible file formats in the name of security.
Apple fixed the six Image I/O flaws in security patches pushed out in January and April, according to the report.
20 Comments
Already fixed so why did Google bring it up?
Exactly. "Oh look, Apple sucks and we're here to show them how it's done". Yeah, remember /var google???
I truly admire the fine work of the Google Project Zero team, but I do wish a few of them could turn their focus a little harder to the malware-ridden security nightmare that is Android. You'll notice that no federal agency has EVER complained that Google won't give them access to a phone they want to sift through ... just sayin'.