Errors in the framework can allow attacks on iPhones from a distance, warn the researchers. Apple would have to test for vulnerabilities better.
Google’s “Project Zero” team encountered several security gaps in Apple’s important image framework ImageIO during automated software tests (fuzzing) that could allow malicious code to be executed. Since common messaging apps use the framework for displaying image previews in notifications, malicious code can be introduced remotely and executed immediately in this way, the security researchers explain, so that user interaction is not necessary.
Vulnerabilities closed by Apple
The vulnerabilities affect all Apple operating systems, have been reported to the manufacturer and have already been closed with updates in iOS, iPadOS, macOS, tvOS and watchOS, as Google notes. The iOS / iPadOS 13.3.1 released at the end of January, for example, addresses a number of the gaps listed. The presentation of a manipulated image file could be used “to execute arbitrary codes”, Apple warned in a security notice added later. Apple said it was a bug that “could read data outside of its designated area,” and that it had been addressed through improved input verification.
It is in the hands of the operating system manufacturer – in this case Apple – to detect such bugs and potential weaknesses by extensive fuzzing and to close them immediately, according to a detailed posting by Project Zero . This is not the responsibility of the manufacturers of the messenger, since this code is not part of their code base. In addition, the attack surface should generally be reduced in such multimedia frameworks: ImageIO currently still supports a large number of image formats, including obscure ones. Even developers of messengers should reduce the number of accepted image formats as much as possible.
Google fuzzer could allow detection of further bugs
Google has released the fuzzer used to analyze ImageIO. They had run it for several weeks with a small database of around 700 images in various formats and discovered the weak points, the security researchers said. Third-party libraries integrated by ImageIO such as OpenEXR would also have proven to be vulnerable. It is likely that there are other bugs in the framework “or will be introduced in the future”.