Google Project Zero specialists discovered and described many vulnerabilities in Apple’s operating systems. For example, they are part of the Image I/O framework, which is used for parsing images and is part of iOS, macOS, tvOS and watchOS.
Overall were identified 14 vulnerabilities, six of which directly affect Apple Image I/O, and eight more problems are associated with the OpenEXR open source library, which is used to parse EXR images and comes with Image I/O.
“None of the detected bugs, as well as the proof-of-concept exploits presented for them, can be used to take control of a vulnerable device, but it is emphasized that the experts did not study this issue carefully, as their goal was not this”, – write the researchers.
It is studied that hackers can exploit discovered problems through popular messaging applications. To do this, just send a specially crafted file to the potential victim. At the same time, researchers acknowledge that some vulnerabilities can most likely be used for remote code execution, and without any user interaction. Or may be just the Google Project Zero team didn’t go deep into studying this aspect of the problem.
The first vulnerability that Apple reported was a buffer overflow, affecting the use of libTiff in Apple Image I / O. This bug has not yet received its own CVE identifier.
“The following were also discovered: out-of-bounds heap reading when processing DDS images (CVE-2020-3826) or JPEG images (CVE-2020-3827) with invalid size parameters; off-by-one error in the PVR decoding logic (CVE-2020-3878) and a related bug in the PVR decoder (CVE-2020-3878); as well as out-of-bounds reading when processing OpenEXR images (CVE-2020-3880)”, – said in Google Project Zero.
The latter problem, in fact, arose in the third-party OpenEXR library that came with Image I/O.
Interestingly, this vulnerability could not be reproduced in the latest version of OpenEXR, that is, Apple seems to have used an outdated version of the library. As a result, the researchers decided first report the problem directly to Apple, and not to the OpenEXR authors.
Having discovered this bug, experts decided to pay more attention to OpenEXR itself and quickly revealed another portion of vulnerabilities: out-of-bounds record (CVE-2020-11764); out-of-bounds read std::vector (CVE-2020-11763); out-of-bounds memcpy (CVE-2020-11762); out-of-bounds reading image element data and other data structures (CVE-2020-11760, CVE-2020-11761, CVE-2020-11758); out-of-bounds read on the stack (CVE -2020-11765); and integer overflow (CVE-2020-11759).
“To date, all vulnerabilities have already been fixed. Six issues in Image I / O code were fixed in January and April, while bugs in OpenEXR were fixed in February, with the release of version 2.4.1.”, – reports the research team.
Experts hope that their analysis will serve as a starting point for further study of Image I/O, as well as other components used for image processing and multimedia on Apple devices. The fact is that the Image I/O framework plays an important role in the ecosystem of Apple applications, comes as part of iOS, macOS, tvOS and watchOS, which means it provides an extensive landscape for various attacks, and should be protected as best as possible.
At the same time, the researchers emphasize that obviously not all the weaknesses of Image I/O were clearly detected, since they used fuzzing without access to the source codes. At Google Project Zero, they hinted that such an analysis is best done by the developers themselves, who have access to the sources.
Analysts also believe that in the future, Apple should give application developers the opportunity independently limit the types of image formats that can be processed using Image I / O. This should prevent exotic file formats from delivering malware through Image I/O.
Well, I recently told, for example, that vulnerabilities allowed access to cameras on Mac, iPhone and iPad. Once upon a time legends were said about the safety of Apple products, and now, as we see, Google is gloating over them.