Google publishes a number of zero-click vulnerabilities that affected all Apple devices
The vulnerabilities, reported by the team, are related to the so-called ImageIO framework that is present on all Apple systems - iOS, macOS, watchOS and tvOS, so all Apple devices appear to be affected by the vulnerabilities. The newly discovered cybersecurity flaws, however, are connected to already reported and fixed issues with the code that was parsing images, but this time, it’s related to images in popular messaging apps.
The issue is that the vulnerability does not necessitate the user to click on any suspicious-looking links or anything of that nature, that’s why it’s called a “zero click” vulnerability. Reportedly, Project Zero worked with a technique called “fuzzing”, a software testing methodology that provides inavalid, unexpected or random data as input to Apple’s ImageIO framework. The team was then able to discover reportedly six vulnerabilities in ImageIO, and additionally eight more in a third-party image format, called OpenEXR, that was exposed by Apple's ImageIO. Reportedly, Apple has already fixed the aforementioned vulnerabilities (in security patches in January and April).
It’s important to note that the vulnerabilities were accessible through popular messaging apps but were not linked to the source code of the apps, so the team stated that it was Apple’s responsibility of fixing it, rather than the individual messaging app team’s.
Samuel Groß, a researcher from the Project Zero team, posted the report and stated that, even though all of the issues that were found were already fixed by Apple, some additional vulnerabilities of the same type can still be present and with enough hard work from malicious hackers, could potentially be exploited as zero-click attacks on Apple devices.
The researcher recommended that the Cupertino-based tech giant performs more “fuzz-testing”. Additionally, he advised that Apple implements an aggressive attack-surface reduction in its OS libraries, meaning to reduce the number of compatible file formats in order to improve security.