Google Project Zero Team researched on a framework and found somewhat six vulnerabilities in the multimedia processing component of Apple. The vulnerabilities were originated from the Image I/O framework. The team found eight more of these fragilities in the OpenEXR library.
Researchers managed to identify six vulnerabilities in Image I / O and eight more in the OpenEXR library. Specialists from the Google Project Zero team found vulnerabilities in one of the components of Apple’s multimedia processing that do not require user interaction.
Problems were identified in Image I / O, a framework built into all Apple operating systems designed to analyze and work with image files. The framework comes with iOS, macOS, tvOS and watchOS, and most applications running on these platforms use it to process image metadata.
According to the Project Zero team, they used a method called fuzzing to test how Image I / O handles distorted image files. Researchers managed to identify six vulnerabilities in Image I / O and eight more in OpenEXR, an open-source library for analyzing EXR image files, which comes as a third-party component with Image I / O.
According to experts, none of the problems or PoC codes for vulnerabilities can be used to seize control of the device, but they did not study this issue.
“It is likely that with sufficient efforts by attackers, some of the vulnerabilities found can be used to remotely execute code without interacting with the user,” the experts explained. These vulnerabilities are currently fixed – six problems in Image I / O were fixed in January and April of this year, while vulnerabilities in OpenEXR were fixed in version 2.4.1.
Credits: SecurityLab.ru
