What you need to know
- A new Google report has revealed several bugs that were previously present in Apple software.
- The zero-click bugs have been patched by Apple.
- The problems revolved mostly around multimedia processing.
A new report published by Google today has revealed several zero-click bugs affecting all of Apple's major operating systems, problems which have all since been patched.
This blog post discusses an old type of issue, vulnerabilities in image format parsers, in a new(er) context: on interactionless code paths in popular messenger apps. This research was focused on the Apple ecosystem and the image parsing API provided by it: the ImageIO framework. Multiple vulnerabilities in image parsing code were found, reported to Apple or the respective open source image library maintainers, and subsequently fixed. During this research, a lightweight and low-overhead guided fuzzing approach for closed source binaries was implemented and is released alongside this blogpost.
To reiterate an important point, the vulnerabilities described throughout this blog are reachable through popular messengers but are not part of their codebase. It is thus not the responsibility of the messenger vendors to fix them.
The bugs involved using multimedia processing, specifically through messenger services that automatically transfer new images, audio, and video to your phone's OS, before processing it. (e.g. when someone sends you a photo in WhatsApp and it appears in your camera roll)
One of the important features of the issue is that it requires no interaction on the part of the user, as the processing components are triggered automatically. As ZDnet notes:
All an attacker has to do is find a way to send a malformed multimedia file to a device, wait until the file is processed, and until the exploit code triggers.
Google said that they were able to use a technique called "fuzzing" (feeding Image I/O unexpected input to check for abnormalities) to find six vulnerabilities in Image I/O and eight in OpenEXR. Google reiterated that none of these bugs could be used to take over devices. It further noted that all of the bugs had now been fixed.
The report further suggested that Apple continue testing of this nature on both operating system libraries and messenger apps.
You can read the full report here.