CVE-2023-23535 - How a Malicious Image Could Reveal Your Apple Device’s Secrets

In early 2023, Apple fixed a security vulnerability identified as CVE-2023-23535 that affected multiple of its major operating systems. This weakness revolved around how images were processed. If a user opened or interacted with a carefully crafted image, sensitive information stored in memory could be revealed to an attacker.

In this long read, we’ll explain this vulnerability in plain English, show you how this kind of bug works with simple code, discuss how it could be exploited, and provide references for those who want to dig deeper. You’ll also learn which updates fix the problem, and why updating your devices is always a good idea.

What Is CVE-2023-23535?

CVE-2023-23535 is a memory handling vulnerability discovered in Apple’s image processing stack. Basically, different Apple devices might leak parts of their memory – including potentially sensitive data – to hackers if they process a rogue image file. This could happen if you just preview, open, or interact with an image in a website, app, or email.

This vulnerability existed because the code responsible for reading images didn’t manage memory correctly. When a specially crafted image was processed, it could leak out sections of memory belonging to the process, which sometimes includes your data or secret information.

How Does This Happen? (A Simple Example)

While Apple holds the actual proprietary code, we can understand the bug with a simplified analogy using C code. Many vulnerabilities like this, often called “out-of-bounds reads,” happen when code reads more data out of memory than it should.

A Simplified Image Parser Example

#include <stdio.h>
#include <string.h>

// Fake function to parse image data
void process_image(unsigned char *image_data, size_t length) {
    unsigned char buffer[64];

    // Vulnerable: doesn't check if length is too big!
    memcpy(buffer, image_data, length);

    // Later, buffer is used or written somewhere
}

int main() {
    unsigned char malicious_img[80] = {}; // fill with lots of zeros
    strcpy((char *)malicious_img + 65, "SECRET_DATA"); // secret data in memory

    // This will copy more than buffer can hold, causing buffer overflow
    process_image(malicious_img, 80); 
}

In this code, the process_image function copies more data than the buffer is meant to hold. That can lead to sensitive data accidentally being included when the result is sent somewhere – for example, a preview generated for the user, which an attacker could then collect.

In the real bug, Apple’s framework reading the image didn’t control memory boundaries correctly for certain images, so parts of the device’s system memory would be appended to the image data, exposed anywhere that image result was shown or processed.

The real-world risk here is data leakage. An attacker could

1. Send you a Malicious Image: Email, SMS, or post it online, hoping you’ll simply view it with your device (think opening a photo in Messages or Safari).
2. Leak Process Memory: The attack image, when displayed, could cause the device to accidentally reveal parts of its memory (contents could be anything running in the process: fragments of emails, documents, messages, credentials, or even session tokens).
3. Exfiltration: The attacker’s code or commands might collect and transmit this leaked data back.

The attack does not require installation of new apps or user interaction beyond viewing the image. This kind of weakness is popular in “zero-click” or “drive-by” attacks.

Proof-of-Concept (PoC) and Public Exploits

Apple’s image handling code is closed, and there are no public, working exploits for this specific CVE at the time of writing. However, Project Zero and other security researchers have found similar issues in the past, showing the method.

- Read More: Apple Security Update 2023-03-27
- NVD Entry for CVE-2023-23535

Generally, exploiters generate an image (PNG, JPEG, TIFF) with tricky data fields to trick the parser into reading — and then revealing — memory it shouldn’t.

When image is processed, private memory is disclosed

4. Extract secrets from the result sent back (e.g., if an error message or preview is sent back, attacker reads the “garbage” memory).

Check out ImageTragick and earlier Apple bugs for similar attack ideas.

How Was It Fixed?

Apple fixed CVE-2023-23535 by improving memory handling. Basically, they now ensure image-reading code properly validates all sizes and boundaries before copying or processing image data, preventing leaks.

Don’t open suspicious images from unknown or untrusted sources.

- Stay updated on security news: Apple Security Updates

References & More Reading

- Apple Security Update – March 2023
- National Vulnerability Database: CVE-2023-23535
- Project Zero Blog: Image Parsing Exploits
- ImageTragick: ImageMagick Vulnerabilities

Final Words

CVE-2023-23535 is a typical example of how seemingly harmless activities, like opening an image, can threaten your privacy. Software bugs in image-handling code are dangerous because so many apps and services work with images. The best way to protect yourself is to always keep your devices up to date.

If you have questions, or want to learn more, check the provided references and follow security news for your devices.

Timeline

Published on: 05/08/2023 20:15:00 UTC
Last modified on: 05/30/2023 06:16:00 UTC