Last year, we reported on Google ’s Project Zero team, which helped Apple fix Important iPhone vulnerabilities To hackers. right now, AppleInsider is attracting our attention Another team publication revealed six new vulnerabilities on the Apple platform. The vulnerability reported by the team is related to the so-called ImageIO framework that exists on all Apple systems (iOS, macOS, watchOS, and tvOS). , So all Apple devices seem to be affected by the vulnerability. However, the newly discovered network security vulnerability is related to the reported and resolved issues in the code that parses the picture, but this time, it is related to the picture in the popular messaging application.
The problem is that the vulnerability does not require users to click on any suspicious links or similar content, which is why it is called a "zero click" vulnerability. It is said that Zero item Working with a technology called "fuzzing", this software test method can provide invalid, unexpected, or random data to Apple's ImageIO framework. Then, the team discovered six vulnerabilities in ImageIO and eight vulnerabilities in a third-party image format (called OpenEXR) disclosed by Apple ImageIO. According to reports, Apple has fixed the above vulnerabilities.
It is important to note that these vulnerabilities can be accessed through popular messaging applications, but are not linked to the application ’s source code, so the team stated that it is Apple ’s responsibility to fix this vulnerability, not the individual messaging application team ’s responsibility.
Samuel Groß, a researcher on the Zero Project team, released the report and pointed out that even if all the problems found have been fixed by Apple, there are still some other vulnerabilities of the same type, and after enough effort, Malicious hackers may be used as a zero-click attack on Apple devices.
The researchers recommend that Cupertino-based technology giants conduct more "fuzzing tests." In addition, he suggested that Apple implement aggressive attack surface reduction in its OS library, which means reducing the number of compatible file formats to improve security.