Security News > 2020 > April > Google Researchers Find Multiple Vulnerabilities in Apple's ImageIO Framework
Google Project Zero security researchers have discovered multiple vulnerabilities in ImageIO, the image parsing API used by Apple's iOS and macOS operating systems.
The bugs in image parsing code, some of which impact open source image libraries and not the ImageIO framework itself, can be triggered through popular messenger applications by sending specially crafted image files to the targeted user.
Google's researchers identified a total of 14 vulnerabilities, 5 of which affected Apple's ImageIO framework, and 9 impacting the OpenEXR library, a high dynamic range image file format created for computer imaging applications.
The first of the six issues reported to Apple was a buffer overflow impacting the usage of libTiff in the framework, which did not receive a CVE. The researchers also reported out-of-bounds reads on the heap when processing DDS images or JPEG images with invalid size parameters, an off-by-one error in the PVR decoding logic, a related bug in the PVR decoder, and an out-of-bounds read during handling of OpenEXR images.
The last issue actually occurred in the OpenEXR library, third-party code bundled with ImageIO, but could not be reproduced in the upstream OpenEXR library, and the researchers decided to report it directly to Apple.
News URL
Related news
- Apple creates Private Cloud Compute VM to let researchers find bugs (source)
- Apple Opens PCC Source Code for Researchers to Identify Bugs in Cloud AI Security (source)
- Researchers Uncover Vulnerabilities in Open-Source AI and ML Models (source)
- Researchers Warn of Privilege Escalation Risks in Google's Vertex AI ML Platform (source)
- Apple Releases Urgent Updates to Patch Actively Exploited Zero-Day Vulnerabilities (source)
- Google's AI-Powered OSS-Fuzz Tool Finds 26 Vulnerabilities in Open-Source Projects (source)
- Researchers Uncover Flaws in Popular Open-Source Machine Learning Frameworks (source)
- Researchers Uncover Prompt Injection Vulnerabilities in DeepSeek and Claude AI (source)