MacDirectory magazine is the premiere creative lifestyle magazine for Apple enthusiasts featuring interviews, in-depth tech reviews, Apple news, insights, latest Apple patents, apps, market analysis, entertainment and more.
Issue link: https://digital.macdirectory.com/i/1256627
were given malformed image files to process, instead of knowing what to do with them or returning an error code, Image I/O and OpenEXR would simply crash. For most computer users, a crash is the end of the story: Time to relaunch an app, or restart the computer. But to a security researcher — or an exploit developer — a crash is just the beginning. They're more interested in why and how something crashed, because that unexpected behavior may give them a way to take advantage of the crashing system. For example, if a crash involves the OS writing data to places in memory where it shouldn't be writing data, a threat actor could use this error to insert malicious code into a location where it would then be executed by the system. The Google researchers found that these vulnerabilities were resulting in various read and write errors of this type, which could lead to serious problems. The bugs were called "zero- click" vulnerabilities since they would not, in theory, require user interaction to exploit. The part of the Image I/O framework tested is responsible for loading thumbnail image previews in messenger apps. To do this, the system must first process the image file — and that happens without the user having to click on anything. If a maliciously crafted image file is sent and processed, bad things can happen. How did they find the vulnerabilities? The researchers used a technique called "fuzzing". Fuzzing refers to the practice of throwing all sorts of random input at a computer in order to see what happens. That may seem like a haphazard way to test for vulnerabilities, but it actually makes sense when you think about it. Developers — good ones, anyway — are very skilled at building elegant software that performs as expected. But they're only human, and even though they attempt to think through all possible scenarios, and anticipate everything that could go wrong with their code, they still miss things from time to time. Of course, it's pretty hard to find the one thing you didn't think of! After all, how can you find something if you don't know you're looking for it? But fuzzing provides a way to do just that. By automating the process of feeding a computer random input, you wind up generating scenarios that you never would have thought to test. When this results in a crash, you've discovered a potential vulnerability. Fuzzing can also be useful when you can't see all of the source code you're testing — which was precisely the situation that Google researchers found themselves in when attempting to evaluate Apple's Image I/O. The researchers started up their fuzzer and let it run for several weeks, until it discovered the vulnerabilities discussed above. Are the bugs serious? Image I/O is used by all of Apple's operating systems (macOS, iOS, watchOS, and tvOS), so these bugs have a wide impact. The Google researchers, it should be noted, were only looking for vulnerabilities — they weren't trying to prove that the vulnerabilities could be exploited. However, due to the nature of the bugs, and based on past experience with similar vulnerabilities, it's possible to make some educated guesses about whether or not they could be exploited. Samuel Groß, the author of the blog post that announced the Google team's findings, had this to say: It is likely that, given enough effort (and exploit attempts granted due to automatically restarting services), some of the found vulnerabilities can be exploited for RCE [Remote Code Execution] in a 0click attack scenario. Unfortunately it is also likely that other bugs remain or will be introduced in the future". Do I need to take action? According to Groß, the bugs discovered by his team were patched by Apple in January and April, so you should be safe if all of your OSes are up to date. If you haven't updated in a while, now would be a good time to do so — and enable automatic updates while you're at it. The team at Google also has some recommendations for Apple. In their view, the company should conduct their own fuzz- testing of image parsing tools like Image I/O, and should also make it possible for app developers to restrict the number of supported image formats in order to decrease the attack surface available to bad actors. In terms of takeaways for the rest of us, this story is a good reminder that no platform — even one belonging to a security-focused company like Apple — is 100% safe. So be mindful when adding new contacts who could potentially send you messages, and remember to stay on top of your OS updates! About SecureMac Founded in 1999, SecureMac (www.securemac.com) has been a leading contributor to Apple security since the 2005 release of the original MacScan anti-malware tool. In the years since, SecureMac has continued to play an essential role in providing macOS users with straightforward options for better security. From the development of the faster and more powerful MacScan 3 to the company's ongoing development of online privacy tool PrivacyScan, users can easily equip themselves for protection. With the addition of The Checklist, SecureMac continues to showcase a deep commitment to accessible security and the importance of digital awareness for all Mac users. For more info visit https://www.securemac.com/