Google Project Zero white-hat hackers have disclosed zero-click vulnerabilities affecting multiple Apple operating systems.
White-hat hackers at Google Project Zero team have discovered several zero-click vulnerabilities impacting multiple Apple’s multimedia processing components is several Apple operating systems.
Multimedia processing components could be a privileges entry point for threat actos that attempt to hack into the mobile OS, including the Apple one.ultimedia processing components
The discovery urges Apple into implementing additional security measures to protect these components, following the approach already adopted by Google to protect multimedia processing libraries.
Multimedia processing libraries are used by the modern mobile OS to automatically manage multimedia files (i.e. images, audio, and videos)
A bug in a multimedia processing component could be exploited by threat actors to take over mobile devices by simply sending a specially-crafted picture or a video to the target device, even without interaction (so-called zero-click attacks).
This means that SMS messages, emails, or IM messages could be an attack vector.
Google Project Zero researchers focused their analysis on the Image I/O framework which is used in iOS, macOS, tvOS, and watchOS. The Project Zero team used a “fuzzing” technique to test how Image I/O handled malformed multimedia files.
“This research was focused on the Apple ecosystem and the image parsing API provided by it: the ImageIO framework. Multiple vulnerabilities in image parsing code were found, reported to Apple or the respective open source image library maintainers, and subsequently fixed.” reads the report published by Google. “During this research, a lightweight and low-overhead guided fuzzing approach for closed source binaries was implemented and is released alongside this blogpost.”
The choice of using a fuzzing approach is loosely based on the paper: Full-speed Fuzzing: Reducing Fuzzing Overhead through Coverage-guided Tracing Experts explained that they had some difficulties in using this approach because the target code was not open source, making it impossible to use standard fuzzing tools.
They implemented a security oriented software fuzzer named Honggfuzz.
Experts highlighted the necessity to secure these components to prevent zero-click attacks exploiting flaws in their code.
“One of the insights gained from developing an exploit for an iMessage vulnerability was that a memory corruption vulnerability could likely be exploited using the described techniques if the following preconditions are met:
- A form of automatic delivery receipt sent from the same process handling the messages
- Per-boot ASLR of at least some memory mappings
- Automatically restarting services” continues the analysis.
“In that case, the vulnerability could for example be used to corrupt a pointer to an ObjC object (or something similar), then construct a crash oracle to bypass ASLR, then gain code execution afterwards.”
Experts discovered six vulnerabilities in Image I/O:
- P0 Issue 1952
- CVE-2020-3826/P0 Issue 1953
- CVE-2020-3827/P0 Issue 1956
- CVE-2020-3878/P0 Issue 1974
- CVE-2020-3878/P0 Issue 1984
- CVE-2020-3880/P0 Issue 1988
and eight issues in OpenEXR, which is an open-source library for parsing EXR image files.
The researchers pointed out that neither the bugs and the proof-of-concept code that they developed could be used to hack mobile devices.
They confirmed that will go deep in their study with other research into Image I/O and other multimedia processing components,
“Fuzzing of the exposed code turned up numerous new vulnerabilities which have since been fixed.” concludes Google.
“It is likely that, given enough effort (and exploit attempts granted due to automatically restarting services), some of the found vulnerabilities can be exploited for RCE [remote code execution] in a 0click attack scenario,”
The good news is that Apple already addressed the vulnerabilities in the Image I/O with security updates implemented since January
Please give me your vote for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS