Just a few months ago, security testing course experts from Google’s Project Zero revealed some security vulnerabilities in Apple’s iOS operating system that could be exploited to completely compromise a device. This revelation generated harsh criticism for Google, as it later emerged that these flaws were not present only in Apple’s operating system.
Despite criticism, Project Zero members have revealed a new report on some vulnerabilities present in Apple’s operating systems, which could be exploited by threat actors to gain an access point to a compromised device.
According to Project Zero security testing course researchers, reported vulnerabilities are an old problem related to media files sent via instant messaging platforms within the ImageIO framework. The flaws were reported to Apple, which was quick to release the corresponding fixes.
In its report, the Google team warns that even though the revealed vulnerabilities do not allow you to take control of a device or the exposure of sensitive data, some of these flaws can be exploited for remote code execution without interaction of the affected user.
Security testing course experts ensure that exploiting vulnerabilities using images is not a rare phenomenon. Recently, multiple reports of some flaws in messaging platforms and other remote communication services have been revealed; In most cases, the attack is triggered when an image is received and the device requires analyzing the data to know how to manage and display the file. Most are in formats such as JPEG, GIF or PNG, although there are other less common file types.
Project Zero demonstrated the existence of these vulnerabilities using a method known as data randomization, so the device became unable to properly handle an image. This opens the door for threat actors to deploy subsequent attacks.
As a security measure, Google suggested manufacturers adopt this testing model; implementing support only for the most common image formats can also be a good measure to mitigate the risk of exploiting these flaws.
Apparently, these flaws are present on all Apple operating systems, even those that have been recently updated. It should be mentioned that this is a very sophisticated attack vector, so a campaign of mass exploitation of these flaws is very unlikely.
For further reports on vulnerabilities, exploits, malware variants and computer security risks you can access the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.