PNG Exploit Causing iOS & Mac OS Crashes
Security expert Lander Brandt discovered a bug in the image processing subsystems of Apple’s iOS and Mac OS X operating systems. Specially crafted PNG image files can cause native apps such as Apple Mail, Safari and Messages as well as third-party apps using the corresponding Apple framework to crash repeatedly when viewing the weaponized images. A solution is in the works, while a timeline for an eventual patch is still unknown.
Brandt discovered the “Apple ImageIO Denial of Service” vulnerability by “fuzzing” the ImageIO framework after the known Stagefright exploit had piqued his interest. After 30 minutes he had already identified a potential attack vector and shortly after developed a new exploit that works on all current versions of iOS and Mac OS X.
In December 2015, he reported the vulnerability to Apple, who promptly replied and acknowledged the issue. Unfortunately, the bug had not been fixed with the iOS 9.3 firmware update and more than 100 days after the issue had originally been reported, the security researcher chose to publicize the bug to add pressure onto Apple to patch up the vulnerability under the hood.
The bug uses a custom PNG chunk with a zero-length data field, which causes a null pointer dereference and ultimately results in a crash that is not unlike what we’ve seen in 2013, when a snipped of text could cause your messaging app or browser to crash.
In this case, the modified PNG file can lead to crashes in iMessage, Apple Mail and more apps with sometimes persisting issues that can only be solved by e.g. having one of your contacts send another message to your account and then deleting the problematic image from a conversation. In iOS 9.3.1 and Mac OS X 10.11, Safari threads do not fully crash but instead reload with a warning. Browsers such as Google Chrome and Firefox do not make use of the ImageIO framework by Apple, therefore they are not affected by this exploit.
Hopefully Apple will resolve the problems in iOS 9.3.2 and Mac OS X 10.11.5 in the near future. The iOS 9.3.2 Beta 2 has just been released, but we haven’t tested for the exploit yet. We’ll keep you updated!