Last week a bug was reported in the Mail and iPhone app. Apple said it showed no risk to its users, and that it would fix those failures to be solved by the next version of iOS.
However, it is sometimes found that the risk is not relieved until after Apple has spoken to them – thus information on the error should not fall into the wrong hands.
The vulnerability we will be discussing here is already addressed at the beginning of the year. The security team of Google Zero Project, pointing to the errors, released their details in the report and advised that Apple should do more to prevent that from being affected.
The vulnerability is in the Apple I / O image I / O Graphic layer is included in all Apple platforms (macOS, iOS, iPadOS, tvOS, and watOS) and is used to analyze images and other types of media.
When you receive an image file by text, email, or other means, the image is transferred to the app library where the analysis is performed.
Because user interaction is not required for the code hidden within the image to work for this type of failure, it is required by them hackers (So, Google's Zero Project doesn't publish it before Apple accidentally talks about it.)
Apple corrected the risk in the papers released in January and April, but Google Project Zero researcher Samuel Groß is not satisfied and thinks Apple hasn't done enough.
The report recommends that Apple improve its defect tests through a continuation of "existing tests" and "high-speed ground attack."
Investigators used a process called "fuzzing" to indicate security flaws. Attackers use the argument: they used media files to identify the weaknesses of the framework and the HDR-related framework, OpenEXR, to use it to generate personal case code on the device without user intervention.
Reducing the attack area may reduce the number of file formats that attackers can use.
"It is possible that, given enough effort (and exploitation efforts provided as a result of automated service restart), some of the detected vulnerabilities can be exploited through RCE (remote encoding) in the context of 0 attacks" said Samuel Groß. Although failure should not be harmful to your device, it does show why keeping your systems up to date is so important. "
Apple often learns about a new security risk at a time and can respond before it's released.
However, sometimes Apple doesn't respond immediately. For example, we are still waiting for Mesense for iOS and iPadOS vulnerabilities released last week to be resolved.
The beta of iOS 13.4.5 and iPadOS 13.4.5 contains the fix, so we expect it to arrive soon, so your iPhones and iPads are ready to update.
The first article was released on our sister website in Germany Macwelt.
