Monday, March 1, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

Google discloses zero-click bugs impacting several Apple operating systems

April 29, 2020
in Internet Security
Google discloses zero-click bugs impacting several Apple operating systems
585
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Multimedia processing components are one of today’s most dangerous attack surfaces in any operating system.

When it comes to managing multimedia files, all operating systems work the same. Any new multimedia file — image, audio, video — that reaches a device is automatically transferred to a local OS library that parses the file to know what it is and what to do with it next.

You might also like

These four new hacking groups are targeting critical infrastructure, warns security company

Privacy Commissioner asks for clarity on minister’s powers in Critical Infrastructure Bill

TikTok agrees to pay $92 million to settle teen privacy class-action lawsuit

From an attacker’s perspective, bugs in multimedia processing components are the ideal attack surface, as they don’t need any user interaction before having the ability to run code on a remote device/OS.

All an attacker has to do is find a way to send a malformed multimedia file to a device, wait until the file is processed, and until the exploit code triggers.

In today’s interconnected world, exchanging images and videos is one of the most common user interactions. As such, hiding malicious code inside an image sent via SMS, email, or chat (IM) message is an easy way to attack targets without raising signs of alarm.

Due to all these reasons, vulnerabilities in multimedia processing components are currently one of the most sought-after security flaws, as they allow a silent, zero-click, no-user interaction intrusion vector.

Google’s Image I/O research

In a report published today, Project Zero, Google’s elite bug-hunting team, said they looked at one of Apple’s multimedia processing components, which is most likely to be an attractive attack surface for any threat actor needing a way to silently hack an Apple user.

More specifically, Project Zero researchers looked at Image I/O, a framework that’s built into all Apple operating systems and is tasked with parsing and working with image files.

The framework ships with iOS, macOS, tvOS, and watchOS, and most apps running on these operating systems rely on it to process image metadata.

Because of its central role all over the Apple app ecosystem, Image I/O is a dangerous attack surface that inherently enables a zero-click intrusion vector for any attacker, and needs to be as secure as possible against exploits.

Fuzzing Image I/O finds six bugs + eight more

The Project Zero team said they used a technique called “fuzzing” to test how Image I/O handled malformed image files.

The fuzzing process fed Image I/O unexpected input in order to detect abnormalities and potential entry points for future attacks in the framework’s code.

Researchers said they identified six vulnerabilities in Image I/O [1, 2, 3, 4, 5, 6], and another eight in OpenEXR, an open-source library for parsing EXR image files that ships as a third-party component with Image I/O.

Google said that neither of the bugs and the proof-of-concept code that they developed could be used to take over devices, but they didn’t look into the matter, as this wasn’t the purpose of their work.

“It is likely that, given enough effort (and exploit attempts granted due to automatically restarting services), some of the found vulnerabilities can be exploited for RCE [remote code execution] in a 0click attack scenario,” said Samuel Groß, a security researcher with the Project Zero team.

The research team said all the bugs are now fixed. The six Image I/O issues, received security updates in January and April, while the OpenEXR bugs were patched in v2.4.1.

More research needed into Apple’s zero-click attack surface

However, Groß says his team’s findings should merely be the beginning of more research into Image I/O and the rest of Apple’s image and multimedia processing components, all of which are an attractive click attack surface for developing potential zero-click attacks against Apple users and devices.

Groß says that the first step that Apple should take going forward is to continue his research on fuzzing the Image I/O code, since his work was most likely incomplete due to a lack of visibility and access to the framework’s source code.

“Thorough fuzzing, in any case, is always best performed by the maintainers with source code access,” Groß said.

In the long term, more complex mitigation solutions can also be enforced. Groß says that the simplest is to give app developers the ability to restrict the type of image formats that can be processed through their apps via Image I/O, a security feature that would prevent exotic image file formats from delivering malicious code to Image I/O in the first place.

In the long run, Apple should also look into bolstering its other multimedia processing components, similar to how Google and Mozilla have done for Android and Firefox, respectively.

For example, after the discovery of the Stagefright vulnerability, Google split the MediaServer component into smaller libraries, protected by different access permissions, making full device compromises harder to achieve.

Similarly, when Mozilla began integrating Rust code inside Firefox, the first component it re-wrote in its security-first programming language was its multimedia processing stack, showing exactly how important the component was to Firefox’s entire security model.

With the number of spyware and surveillance software vendors increasing all over the world, many of these companies are now looking at easy ways of breaching Apple systems, and, for the time being, multimedia processing libraries offer the most obvious way in. However, this way in shouldn’t be easy.

Credit: Zdnet

Previous Post

Critical Security Patches Released for Magento, Adobe Illustrator and Bridge

Next Post

Designing AI, Designing Humanity - Becoming Human: Artificial Intelligence Magazine

Related Posts

These four new hacking groups are targeting critical infrastructure, warns security company
Internet Security

These four new hacking groups are targeting critical infrastructure, warns security company

February 28, 2021
Privacy Commissioner asks for clarity on minister’s powers in Critical Infrastructure Bill
Internet Security

Privacy Commissioner asks for clarity on minister’s powers in Critical Infrastructure Bill

February 28, 2021
TikTok agrees to pay $92 million to settle teen privacy class-action lawsuit
Internet Security

TikTok agrees to pay $92 million to settle teen privacy class-action lawsuit

February 28, 2021
Cybercrime groups are selling their hacking skills. Some countries are buying
Internet Security

Cybercrime groups are selling their hacking skills. Some countries are buying

February 28, 2021
Why would you ever trust Amazon’s Alexa after this?
Internet Security

Why would you ever trust Amazon’s Alexa after this?

February 28, 2021
Next Post
Designing AI, Designing Humanity – Becoming Human: Artificial Intelligence Magazine

Designing AI, Designing Humanity - Becoming Human: Artificial Intelligence Magazine

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

The Bayesian vs frequentist approaches: implications for machine learning – Part two
Data Science

The Bayesian vs frequentist approaches: implications for machine learning – Part two

March 1, 2021
Google’s deep learning finds a critical path in AI chips
Machine Learning

Google’s deep learning finds a critical path in AI chips

March 1, 2021
9 Tips to Effectively Manage and Analyze Big Data in eLearning
Data Science

9 Tips to Effectively Manage and Analyze Big Data in eLearning

March 1, 2021
Machine Learning & Big Data Analytics Education Market 2021 Global Industry Size, Reviews, Segments, Revenue, and Forecast to 2027 – NeighborWebSJ
Machine Learning

Machine Learning & Big Data Analytics Education Market 2021 Global Industry Size, Reviews, Segments, Revenue, and Forecast to 2027 – NeighborWebSJ

March 1, 2021
The Future of AI in Insurance
Data Science

The Future of AI in Insurance

March 1, 2021
Machine Learning as a Service (MLaaS) Market Analysis Technological Innovation by Leading Industry Experts and Forecast to 2028 – The Daily Chronicle
Machine Learning

Machine Learning as a Service (MLaaS) Market Global Sales, Revenue, Price and Gross Margin Forecast To 2028 – The Bisouv Network

March 1, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • The Bayesian vs frequentist approaches: implications for machine learning – Part two March 1, 2021
  • Google’s deep learning finds a critical path in AI chips March 1, 2021
  • 9 Tips to Effectively Manage and Analyze Big Data in eLearning March 1, 2021
  • Machine Learning & Big Data Analytics Education Market 2021 Global Industry Size, Reviews, Segments, Revenue, and Forecast to 2027 – NeighborWebSJ March 1, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates