Google just released a series of security flaws that affected all Apple platforms. Focused on the components of multimedia file processing, an attacker had only to send a corrupted image as an attack vector. Being a zero-click attack, it does not require user interaction.

Let’s see what these bugs already corrected by Apple consist of.

The ImageIO framework as an Achilles heel

As we know, Google has a team focused solely on the search and analysis of security errors on its own and third-party platforms. This is Project Zero, the discoveries of which are first disclosed to the owner of the platform, so that he has a reasonable time to repair it. Once this time is exceeded or when it is corrected, it is disclosed to the public.

On this occasion, Project Zero has published a blog post detailing a process called “fuzzing ImageIO”. Kind of like the API image distortion used by Apple on all its platforms. Therefore, it is a vulnerability that affects both iOS and iPadOS, macOS, watchOS and tvOS.

Given its leading role on platforms, as well as the use made by third-party apps, it is a very succulent target. In ZDNet they have an analysis of the bugs where they state:

The Project Zero team said they have used a technique called “fuzzing” [distorsión] to examine how ImageIO handled malformed image files. The distortion process fed the ImageIO unexpected inputs with the intention of detecting abnormalities and possible entry points for future attacks in the framework code.

The bugs have been found in ImageIO as well as OpenEXR, with six and eight bugs respectively. OpenEXR is an open-source library for the image file analysis and that is inside the ImageIO.

Vulnerabilities that have already been resolved on all Apple systems

It is very possible that, with enough effort (and accepted looting attempts thanks to the automatic restart of services), some of the vulnerabilities found could be exploited by RCE in a zero-click attack.

This ends the Google document, which details the discoveries made by the team. Errors in themselves are not dangerous, but the use made of them. They are a means of providing access without any user intervention. And given the prevalence of messaging services, Google recommends doing fuzzing tests constantly.

The key to the security of a platform lies in the constant search for errors and their correction as soon as possible.

As indicated in the document, Apple has already corrected all the errors with a software update. Specifically, iOS 13.3.1, iPadOS 13.3.1, tvOS 13.3.1 macOS Catalina 10.15.3. Security updates have been released for macOS Mojave and macOS High Sierra. All of them since January, although in April updates have also been released that correct the problem, without specifying which ones.

Having a completely secure system is impossible for any company (in recent days there have been several). But correcting the mistakes as soon as possible is something that is within reach and Apple takes it seriously. As usual, it is highly recommended have the computer with the latest software version available (unless you may have problems in certain apps not yet updated).