CVE-2020-29618

Vulnerability

An out-of-bounds read vulnerability exists in the image processing component of Apple operating systems. This issue can be triggered by processing a maliciously crafted image. Affected versions include tvOS before 14.3, macOS Big Sur before 11.1, macOS Catalina before Security Update 2020-001, macOS Mojave before Security Update 2020-007, iOS before 14.3, iPadOS before 14.3, iCloud for Windows before 12.0, and watchOS before 7.2 [1][2][3][4].

Exploitation

An attacker can exploit this vulnerability by delivering a specially crafted image to a user. No authentication or special privileges are required; the user simply needs to open or view the image using any application that processes images. The out-of-bounds read occurs during image parsing due to insufficient input validation.

Impact

Successful exploitation may lead to arbitrary code execution in the context of the affected application. This could allow an attacker to execute arbitrary commands or gain full control of the system. Additionally, the out-of-bounds read could potentially disclose sensitive memory contents.

Mitigation

Apple addressed this issue with improved input validation in updates released on December 14, 2020. Users should update to tvOS 14.3, macOS Big Sur 11.1, install Security Update 2020-001 for Catalina or Security Update 2020-007 for Mojave, update to iOS 14.3 and iPadOS 14.3, upgrade to iCloud for Windows 12.0, or update to watchOS 7.2 [1][2][3][4]. No workarounds are necessary.