Google has just released a series of security flaws affecting all Apple platforms. Focusing on the media processing components, an attacker could simply send a corrupt image as an attack vector. Being an attack zero-click , it does not require user interaction.
Let’s see what these bugs already corrected by Apple consist of.
The ImageIO framework as an Achilles’ heel
As we know, Google has a team focused solely on finding and analyzing security errors on its own and other platforms. This is Project Zero , whose discoveries are first made known to the owner of the platform, so that he has a reasonable amount of time to repair it. Once this time has passed or when it is corrected, it is disclosed to the public.
On this occasion, Project Zero has published a blog entry detailing a process called “fuzzing ImageIO”. Something like the distortion of the image API used by Apple on all its platforms . Therefore, this is a vulnerability that affects both iOS and iPadOS, macOS, watchOS and tvOS.
Given its leading role on the platforms, as well as the use made of third-party apps, is a very succulent target . In ZDNet they have a bug analysis where they claim:
Bugs have been found in ImageIO as well as in OpenEXR, with six and eight bugs respectively. OpenEXR is a library open-source for the analysis of image files and is located within the ImageIO.
Vulnerabilities that have already been resolved on all Apple systems
Thus ends the Google document, which details the discoveries made by the team. The mistakes themselves are not dangerous, but the use made of them. They are a means of providing access without any user intervention . And given the prevalence of messaging services, Google recommends testing for fuzzing constantly.
The key to the security of a platform is the constant search for errors and their correction as soon as possible
As indicated in the document, Apple has already corrected all errors with a software update. Specifically, iOS 13.3.1, iPadOS 13.3.1, tvOS 13.3.1 macOS Catalina 10.15.3. Security updates have been released for Mojave macOS and High Sierra macOS. All of them since January , although in April updates have also been released that correct the problem, without specifying which ones.
In AppleiOS 13.4 and iPadOS 13.4 already available for download (and other systems too)
Having a completely secure system is impossible for any company (there have been several in recent days). But correcting the failures as soon as possible is something that is within reach and Apple takes it seriously. As always, it is highly recommended to have the latest version of software available (unless you may have problems in certain apps not yet updated).