Last week we reported on a vulnerability in Apple Mail on the iPhone and iPad. Apple has claimed that it is not a risk to users, but it is addressing the flaw in the next version of iOS.
However, sometimes vulnerabilities are discovered that aren’t publicised until after Apple has addressed them - that way the knowledge of the flaw shouldn’t fall into the wrong hands. The vulnerabilities we will discuss here have already been addressed earlier this year. Google's security team Project Zero, who identified the flaws, has published details of them in a report and advised that Apple should be doing more to prevent these vulnerabilities.
The vulnerabilities are in Apple’s Image I/O. The Image I/O framework is included in all Apple platforms (macOS, iOS, iPadOS, tvOS and watchOS) and is used for parsing images and other media types. When you receive an image file by text, email, or other means, the image is handed to the OS library where it is parsed to determine what it is. Because there is no user interaction necessary for code concealed inside the image to run these kinds of flaws are sought after by hackers (hence Google Project Zero not publicising it before Apple addressed the flaw).
Apple addressed the vulnerabilities in patches released in January and April, but Google Project Zero researcher Samuel Groß isn’t satisfied that Apple has done enough. In the report he recommends that Apple should improve its own testing for flaws with continuous “fuzz-testing” and "aggressive attack-surface reduction”.
The researchers used a technique called fuzzing to identify the security flaws. Fussing is used by attackers: they manipulate media files to identify weaknesses in the framework and the related HDR framework, OpenEXR, and use it to execute third-party code on the device without user intervention.
Attack-surface reduction would reduce the amount of compatible file formats that could be used by attackers.
"It is likely that, given enough effort (and exploit attempts granted due to automatically restarting services), some of the found vulnerabilities can be exploited for RCE [remote code execution] in a 0click attack scenario," said Samuel Groß.
While the flaws shouldn’t be any danger to you or your device, it shows why it’s so important to keep your systems up to date. Apple usually learns about new security vulnerabilities in good time and can react before they become public knowledge.
However, sometimes Apple doesn’t react quickly. For example, we are still waiting for the security vulnerability in Mail for iOS and iPadOS that became known last week to be addressed. The beta of iOS 13.4.5 and iPadOS 13.4.5 contains the fix so we anticipate that it will arrive soon. Have your iPhones and iPads ready for installation. Read more about the Mail flaw that Apple says is “Harmless”.
A version of this article originally appeared on Macwelt. Translation by Karen Haslam.