Google reveals zero-click bugs that Apple has patched in recent weeks

iPhone showing home screen
iPhone showing home screen (Image credit: iMore)

What you need to know

  • A new Google report has revealed several bugs that were previously present in Apple software.
  • The zero-click bugs have been patched by Apple.
  • The problems revolved mostly around multimedia processing.

A new report published by Google today has revealed several zero-click bugs affecting all of Apple's major operating systems, problems which have all since been patched.

Google's Project Zero blog states:

This blog post discusses an old type of issue, vulnerabilities in image format parsers, in a new(er) context: on interactionless code paths in popular messenger apps. This research was focused on the Apple ecosystem and the image parsing API provided by it: the ImageIO framework. Multiple vulnerabilities in image parsing code were found, reported to Apple or the respective open source image library maintainers, and subsequently fixed. During this research, a lightweight and low-overhead guided fuzzing approach for closed source binaries was implemented and is released alongside this blogpost.To reiterate an important point, the vulnerabilities described throughout this blog are reachable through popular messengers but are not part of their codebase. It is thus not the responsibility of the messenger vendors to fix them.

The bugs involved using multimedia processing, specifically through messenger services that automatically transfer new images, audio, and video to your phone's OS, before processing it. (e.g. when someone sends you a photo in WhatsApp and it appears in your camera roll)

One of the important features of the issue is that it requires no interaction on the part of the user, as the processing components are triggered automatically. As ZDnet notes:

All an attacker has to do is find a way to send a malformed multimedia file to a device, wait until the file is processed, and until the exploit code triggers.

Google said that they were able to use a technique called "fuzzing" (feeding Image I/O unexpected input to check for abnormalities) to find six vulnerabilities in Image I/O and eight in OpenEXR. Google reiterated that none of these bugs could be used to take over devices. It further noted that all of the bugs had now been fixed.

The report further suggested that Apple continue testing of this nature on both operating system libraries and messenger apps.

You can read the full report here.

Stephen Warwick
News Editor

Stephen Warwick has written about Apple for five years at iMore and previously elsewhere. He covers all of iMore's latest breaking news regarding all of Apple's products and services, both hardware and software. Stephen has interviewed industry experts in a range of fields including finance, litigation, security, and more. He also specializes in curating and reviewing audio hardware and has experience beyond journalism in sound engineering, production, and design. Before becoming a writer Stephen studied Ancient History at University and also worked at Apple for more than two years. Stephen is also a host on the iMore show, a weekly podcast recorded live that discusses the latest in breaking Apple news, as well as featuring fun trivia about all things Apple. Follow him on Twitter @stephenwarwick9