Google just released series of security errors which has affected all Apple platforms. Focusing on parts of multimedia file processing, the attacker should only send the corrupted image as the attacking veteran. If you attack Click zero, does not require user interaction.
Let's take a look at what they include bugs it has already been repaired by Apple.
ImageIO framework as an Achilles heel
As we know, Google has a team focused solely on searching and analyzing security breaches on its third-party platforms. This is Project Zero, found when the disclosure was first disclosed to the platform owner, so that he or she had the time to fix it. When this time is past or when it is amended, it is revealed to the public.
This time, Project Zero has published a blog post describing a process called "horrible imagery". Kind of like distorting an API image is used by Apple on all of its platforms. So, it's the volatility that affects iOS and iPadOS, macOS, watOS and tvOS
Given its leading role in plat forms, as well as the use made by third party applications, it is a very interesting reference
The Project Zero team said they used a technique called "fuzzing" to look at how ImageIO handled non-image files. The debugging process fed unexpected image input to ImageIO in order to detect anomalies and access points for future attacks in the framework code.
Errors found in ImageIO and OpenEXR, six and eight bugs respectively. OpenEXR is a library open source through him image file analysis and that is within ImageIO.
The risk is already resolved in all Apple systems
It is highly probable that, with sufficient effort (and acceptable robbery attempts due to automatic reboot of tasks), some of the vulnerabilities found may be exploited by the RCE in the attack Click zero.
This eliminates the Google document, which contains details of group discoveries. Mistakes themselves are not a threat, but their use is made. They are a way of giving access without user intervention
The platform's security key lies in the endless search for errors and their rapid fixes.
As mentioned in the document, Apple has already corrected all errors with software updates. Specifically, iOS 13.3.1, iPadOS 13.3.1, tvOS 13.3.1 macOS Catalina 10.15.3. Releasing security updates for macOS Mojave and macOS High Sierra. All from January, though April is also released which fixes the problem, without specifying which one.
Having a fully secure system is impossible for any company (in recent days there have been few). But fixing the errors as quickly as possible is an option and Apple is taking it seriously. As always Highly recommended have a computer with the latest software available (unless you may have problems with some applications that have not been updated).
