Project Zero, the security analyst team from Google, has reportedly disclosed a series of scary vulnerabilities impacting all Apple-made operating systems. The vulnerabilities are six in total in the image I/O and eight in OpenEXR modules in all operating systems by Apple. The list of vulnerabilities is capable of affecting the operating systems running inside Apple's iPhone, iPad, MacBooks, Apple Watch and Apple TV.
The Image I/O vulnerabilities
All the vulnerabilities found in Apple's operating systems relate to multimedia file processing of the operating system. To find out the vulnerabilities, security analysts at Project Zero have used a technique dubbed fuzzing to find out how the Image I/O malfunctions while processing any image file. The OpenEXR, on the other hand, is an open-source library which is responsible for parsing the image files with EXR extensions and comes as a third-party embedded component with Image I/O.
How the bugs work
The Project Zero analysts have mentioned that the vulnerabilities found in the Google operating system are powerful enough to execute remote-code-execution where an attacker can execute an attack remotely without any assistance. Samuel Groß, an analyst from Project Zero, has explained that the threat actors can exploit any of these bugs by sending across an image file to any Apple iPhone, iPad, MacBook, Apple Watch or Apple TV and can launch a zero-click attack.
Similarly, the threat actors could also exploit the other vulnerabilities found in OpenEXR by sending an HDR file. The Project Zero analysts have explained that the parser has been implemented in C and C++ language and is openly available on GitHub.
Previously, Google's Chrome operating system Android was vulnerable to a similar flaw called Stagefright. Google fixed the vulnerability by dividing its MediaServer component into smaller libraries which could require individual authentication to access.
The Google analysts have reported the bugs to Apple and have already got them fixed through several updates. The Image, I/O issues, have been fixed in January and April 2020, while the OpenEXR vulnerabilities have been fixed with its latest update 2.41.