Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Google discloses zero-click bugs impacting all Apple platforms

Last updated

Google on Tuesday revealed the discovery of a handful of now-patched bugs in Apple's Image I/O, a multimedia processing framework vital to the company's platforms.

Discovered by Google's Project Zero team, and outlined in a publication on Tuesday, the Image I/O flaws are ripe candidates for zero-click attack vectors, reports ZDNet.

Image I/O ships with iOS, macOS, watchOS and tvOS, meaning the flaws were present on each of Apple's major platforms.

As noted in Google's disclosure, the Image I/O problems harken back to relatively well known issues surrounding image format parsers. These specialized frameworks are ideal for hackers, as malformed multimedia assets, if allowed to process, typically have the ability to run code on a target system without user interaction.

Project Zero poked at Image I/O using a process called "fuzzing" to see how the framework responded to malformed image files. The technique was selected because Apple restricts access to a majority of the tool's source code.

Google researchers successfully teased out six vulnerabilities in Image I/O and another eight in OpenEXR, a third-party "high dynamic-range (HDR) image file format" that is exposed through Apple's framework.

"It is likely that, given enough effort (and exploit attempts granted due to automatically restarting services), some of the found vulnerabilities can be exploited for [remote code execution] in a 0click attack scenario," writes Samuel Groß, security researcher at Project Zero.

Groß recommends Apple perform continuous "fuzz-testing" as well as "aggressive attack-surface reduction" in operating system libraries and messenger apps, another popular avenue for multimedia-based attacks. The latter tactic would reduce compatible file formats in the name of security.

Apple fixed the six Image I/O flaws in security patches pushed out in January and April, according to the report.



20 Comments

rob53 13 Years · 3312 comments

Already fixed so why did Google bring it up?

buttesilver 6 Years · 41 comments

Exactly. "Oh look, Apple sucks and we're here to show them how it's done". Yeah, remember /var google???

rob53 said:
Already fixed so why did Google bring it up?

dkddkd 10 Years · 14 comments

rob53 said:
Already fixed so why did Google bring it up?

It is common practice within the security field for the org/team that submitted the security vulnerabilities to publish their findings after the vendor patches said vulnerabilities - nothing nefarious going on here ...

chasm 10 Years · 3624 comments

I truly admire the fine work of the Google Project Zero team, but I do wish a few of them could turn their focus a little harder to the malware-ridden security nightmare that is Android. You'll notice that no federal agency has EVER complained that Google won't give them access to a phone they want to sift through ... just sayin'.

dysamoria 12 Years · 3430 comments

Exactly. "Oh look, Apple sucks and we're here to show them how it's done". Yeah, remember /var google???
rob53 said:
Already fixed so why did Google bring it up?

Why are you guys so defensive? This is standard practice. It’s no kind of attack on Apple.