Project Zero Discovers Zero-Click Flaws in Apple Operating Systems

Summary

Researchers from Google’s Project Zero discovered six flaws in Apple’s multimedia processing component Image I/O, a framework responsible for parsing and working with image files. Image I/O ships with iOS, macOS, tvOS, and watchOS, and most apps running on these operating systems (OSs) rely on it for processing image metadata. Multimedia processing components, including Image I/O, are desirable attack surfaces because they do not require user interaction to run code on the targeted system, sometimes referred to as “zero-click” attacks. In addition to the Image I/O flaws, the researchers discovered eight bugs in Open EXR, an open-source library used for parsing EXR image files that come as a component with Image I/O. All of the discovered vulnerabilities have been patched. Researchers stressed that more research needs to be conducted into multimedia processing components.

Recommendations

The NJCCIC recommends users running Apple OSs ensure systems are updated to the latest vendor-supported patch levels. More information can be found in the Project Zero blog post.