Google Project Zero is still going and continues to uncover security flaws present in software from the biggest tech companies around. The latest Project Zero disclosure report details a set of bugs within one of Apple’s tools, leading to zero-click vulnerabilities across iOS, iPad OS, macOS, WatchOS and also tvOS.
It turns out that the Project Zero team found an issue with ImageIO, a piece of software that Apple devices use to parse image files and metadata. By using a technique called ‘fuzzing’, researchers were able to find six vulnerabilities due to the way ImageIO processes incorrect image formats.
Apple patched the bugs that Google researchers discovered but as the post on the matter states, other bugs may still remain and new ones could be introduced in the future:
“Fuzzing of the exposed code turned up numerous new vulnerabilities which have since been fixed. It is likely that, given enough effort (and exploit attempts granted due to automatically restarting services), some of the found vulnerabilities can be exploited for RCE in a 0click attack scenario. Unfortunately it is also likely that other bugs remain or will be introduced in the future.”
Due to the possibility of more issues in the future, continuous testing is recommended to decrease the potential for attacks.
Discuss on our Facebook page, HERE.
KitGuru Says: The Project Zero team continues to do good work. At this stage, it seems that Apple will need to keep a close eye on testing here though, as the potential for undiscovered bugs or new ones being created remains.