The Google Project Zero team announced this week that it had discovered significant flaws in Apple's Image I/O that were likely candidates to be targeted by zero-click attack vectors. The bugs were discovered in Apple's Image I/O software, which ships with iOS, MacOS, watchOS, and tvOS. The flaws were present on every major platform that Apple offers.
The Project Zero team withheld any publication of the bugs until they were patched by Apple. The team says that the Image I/O problems Apple had linked to relatively well-known issues surrounding image format parsers. Flaws of this sort are commonly targeted by hackers because they could allow the various multimedia assets to be processed with the ability to run code on a target system without user interaction.
Google's team used a process called "fuzzing" to determine how the Image I/O framework responded to malformed image files. The team chose that particular technique because Apple restricts access to a majority of the tool source code. During the research, the Google team successfully found six vulnerabilities in Image I/O, along with another eight vulnerabilities in OpenEXR, which is a third-party HDR image file format.
One of the Project Zero security researchers said that given enough effort, some of the vulnerabilities the team discovered could be exploited for remote code execution in a zero-click attack scenario. One member of the Google team recommended that Apple perform continuous "fuzz-testing" in system libraries and messenger apps, which are another popular attack avenue for multimedia-based attacks. Apple fixed the Image I/O flaws and security patches that it pushed out in January and April. Another Apple flaw in the iOS Mail app was recently announced that had been exploited in some cases.