Google on Tuesday revealed the discovery of a handful of bugs now fixed in Apple’s image I / O, a vital multimedia processing framework for corporate platforms.
Discovered by Google’s Project Zero team and described in a Tuesday release, image I / O vulnerabilities are ripe candidates for zero-click attack vectors, reports ZDNet.
Image I / O comes with iOS, macOS, OS and tvOS, which means that the flaws were present on each of Apple’s main platforms.
As noted in Google’s disclosure, the image I / O problems referred to relatively well known problems with image format analyzers. These specialized frameworks are ideal for hackers, because poorly trained multimedia assets, if allowed to process, usually have the ability to execute code on a target system without user interaction.
Project Zero pitted the I / O image using a process called “fuzzing” to see how the framework responded to malformed image files. The technique was chosen because Apple restricts access to most of the source code for the tool.
Google researchers have successfully eliminated six vulnerabilities in image I / O and eight others in OpenEXR, a third-party “high dynamic range image file (HDR) format” that is exposed through the framework of Apple.
“It is likely that, with enough effort (and to exploit the attempts granted due to the automatic restart of services), some of the vulnerabilities found can be exploited to [remote code execution] in a 0click attack scenario, “wrote Samuel Groß, security researcher at Project Zero.
Groß recommends that Apple perform continuous “fuzz testing” as well as “aggressive attack surface reduction” in operating system libraries and messaging applications, another popular avenue for multimedia attacks . The latter tactic would reduce compatible file formats in the name of security.
According to the report, Apple fixed the six image I / O vulnerabilities in the security patches removed in January and April.