Google finds zero-click bugs affecting iOS, macOS, and more
This week, Google researchers announced that they had discovered multiple “zero-click” bugs in Apple’s image-processing framework. Such vulnerabilities could potentially be used to develop exploits that would allow attackers to execute code on a target device without any user interaction required.
In this short piece, we’ll tell you what Google found, explain some key terms in their report, and let you know what it means for you.
What’s a framework?
The researchers discovered six vulnerabilities affecting Apple’s Image I/O framework, and eight additional vulnerabilities in the associated open-source OpenEXR image parsing library. Let’s take a moment to understand what that means.
When software developers write code for their apps, they don’t reinvent the wheel every single time. Instead, they make use of repositories of pre-existing code — called frameworks and libraries — in order to save time and build better software. If they’re writing an application for use on someone else’s platform, they can use that platform’s frameworks to give their app the functionality it needs.
Millions of third-party developers write apps for Apple’s platforms, and the company offers various frameworks for them to use. Image I/O is one such framework. It allows apps to read and write image file formats. For example, if you were developing a new macOS messenger application, and wanted it to be able to send GIFs and JPEGs, you would use the Image I/O framework to help your app read and write those file types. OpenEXR is something similar. It is a collection of resources — a library — that can be used to process EXR files, a type of high-quality image file used in animation and professional video production.
By handing off image processing off to Apple, developers can save time and — theoretically — build more secure software. But the catch is that they’re relying on Image I/O to process image file data safely. And as the Google researchers discovered, that wasn’t happening.
What did Google find?
So what went wrong with Image I/O and OpenEXR?
It seems that they were unable to handle certain types of unexpected input. When they were given malformed image files to process, instead of knowing what to do with them or returning an error code, Image I/O and OpenEXR would simply crash.
For most computer users, a crash is the end of the story: Time to relaunch an app, or restart the computer. But to a security researcher — or an exploit developer — a crash is just the beginning. They’re more interested in why and how something crashed, because that unexpected behavior may give them a way to take advantage of the crashing system.
For example, if a crash involves the OS writing data to places in memory where it shouldn’t be writing data, a threat actor could use this error to insert malicious code into a location where it would then be executed by the system.
The Google researchers found that these vulnerabilities were resulting in various read and write errors of this type, which could lead to serious problems.
The bugs were called “zero-click” vulnerabilities since they would not, in theory, require user interaction to exploit. The part of the Image I/O framework tested is responsible for loading thumbnail image previews in messenger apps. To do this, the system must first process the image file — and that happens without the user having to click on anything. If a maliciously crafted image file is sent and processed, bad things can happen.
How did they find the vulnerabilities?
The researchers used a technique called “fuzzing”.
Fuzzing refers to the practice of throwing all sorts of random input at a computer in order to see what happens. That may seem like a haphazard way to test for vulnerabilities, but it actually makes sense when you think about it.
Developers — good ones, anyway — are very skilled at building elegant software that performs as expected. But they’re only human, and even though they attempt to think through all possible scenarios, and anticipate everything that could go wrong with their code, they still miss things from time to time.
Of course, it’s pretty hard to find the one thing you didn’t think of! After all, how can you find something if you don’t know you’re looking for it? But fuzzing provides a way to do just that. By automating the process of feeding a computer random input, you wind up generating scenarios that you never would have thought to test. When this results in a crash, you’ve discovered a potential vulnerability. Fuzzing can also be useful when you can’t see all of the source code you’re testing — which was precisely the situation that Google researchers found themselves in when attempting to evaluate Apple’s Image I/O. The researchers started up their fuzzer and let it run for several weeks, until it discovered the vulnerabilities discussed above.
Are the bugs serious?
Image I/O is used by all of Apple’s operating systems (macOS, iOS, watchOS, and tvOS), so these bugs have a wide impact.
The Google researchers, it should be noted, were only looking for vulnerabilities — they weren’t trying to prove that the vulnerabilities could be exploited. However, due to the nature of the bugs, and based on past experience with similar vulnerabilities, it’s possible to make some educated guesses about whether or not they could be exploited. Samuel Groß, the author of the blog post that announced the Google team’s findings, had this to say:
It is likely that, given enough effort (and exploit attempts granted due to automatically restarting services), some of the found vulnerabilities can be exploited for RCE [Remote Code Execution] in a 0click attack scenario. Unfortunately it is also likely that other bugs remain or will be introduced in the future”.
Do I need to take action?
According to Groß, the bugs discovered by his team were patched by Apple in January and April, so you should be safe if all of your OSes are up to date. If you haven’t updated in a while, now would be a good time to do so — and enable automatic updates while you’re at it.
The team at Google also has some recommendations for Apple. In their view, the company should conduct their own fuzz-testing of image parsing tools like Image I/O, and should also make it possible for app developers to restrict the number of supported image formats in order to decrease the attack surface available to bad actors.
In terms of takeaways for the rest of us, this story is a good reminder that no platform — even one belonging to a security-focused company like Apple — is 100% safe. So be mindful when adding new contacts who could potentially send you messages, and remember to stay on top of your OS updates!