Which is weird cause that redirect url is to exactly what's linked in the post. It only happens on this link.
jdefr89 · 14h ago
I remember when I was doing iOS/macOS security research back in 2015 and I though to myself "I bet core audio has bugs.." but never really looked into them because my thinking was they wouldn't have been too too useful unless you can get someone to open an audio file... But great work.
saghm · 1d ago
Is there a typo in the code block for the `Process` function near the end of the post? Lines 13-15 have the following loop:
while (remapVec[remapStartIndex] >= index) { // Follow the 'cycle'
index = remapVec[remapStartIndex];
}
I'm not sure what that loop is supposed to be doing, but as its written it looks like it would either be skipped entirely or never terminate; after single iteration, the the two values would be equal and never change again.
johnfn · 1d ago
The authors probably intended to write:
index = remapVec[index];
which would do a better job at following a cycle.
ec109685 · 1d ago
I’d be really frustrated if my device was compromised by an esoteric audio format that I had no intention of ever listening to.
If these parsers can’t run inside an isolated process, perhaps they shouldn’t be enabled at all?
mike_d · 22h ago
> I’d be really frustrated if my device was compromised by an esoteric audio format that I had no intention of ever listening to.
Users get even more frustrated when they want to play something and it does not work. Security is always a usability trade-off.
There is also an argument to be made that it is better for Apple to introduce a few bugs adding support for viewing/playing/etc random things than end users googling "how to play X" and downloading whatever app appears first in the results.
Remember the good 'ol days when everyone had Adobe Acrobat installed so they could open PDFs and it had a new 0day every month? Then one day Chrome added PDF.js and exploitation in the wild dropped off as people stopped downloading shitware to fill out rental applications.
captn3m0 · 10h ago
pdf.js was a Mozilla experiment.
tialaramex · 21h ago
We know how to provably do Wrangling Untrusted File Formats Safely, that's what WUFFS is. So it's not about an "isolated process" it's about a choice to do shoddy engineering and a society which has decided that shoddy engineering is fine in this particular domain.
Hilift · 23h ago
This is totally on-brand for Apple.
"Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS."
That's an RCE, but nowhere near as bad as other recent exploits (CVE-2023-41064 and CVE-2023-41061) that include device and account takeover from an iMessage that you don't have to read. Also these typically don't rate highest severity (7.5/High) probably due to the limited scope of the targets.
It's not really esoteric given it's part of Apple's push into Spatial Audio as early as 2020 (movies in 2020, Apple Music in 2021). Sure you might have no intention of listening to this, but it's wrong to say it's esoteric given the amount of marketing material Apple has put out.
ChocolateGod · 1d ago
> attack against specific targeted individuals on iOS
I'm sure Pegasus will come up with another exploit to replace this one.
No comments yet
duped · 1d ago
> Essentially, if you have a vector, say [A,B,C] that you actually want to be [B,A,C], then you might do that with a ‘permutation map’: another vector that says where each element should go. In this case that would be [1,0,2], which means that the element at index 1 should go to index 0, and the element at index 0 should go to index 1 and the element at index 2 should stay where it is. The simplest working way to do this is to just allocate another vector, and essentially use the permutation map as a kind of dictionary (index→element) for populating that third vector. However, if you would rather be clever and don’t feel like allocating a whole other vector, then you can use the algorithm above.
This isn't being clever, it's actually incorrect to allocate a whole other vector. Realtime code requires O(1) memory complexity for correctness. Although the smart thing would be to preallocate a buffer for the pointers, but in general that may not be possible (I'm not an expert in CoreAudio but if the channels are interleaved and the next chunk of code expects to process in place you really do have to it this way).
It sounds like the CVE is super simple, reduced to:
- CoreAudio determines the number of channels before playback to create a resource, standard practice in audio processing
- It then trusts the number of channels of an incoming stream when using that resource
- A maliciously crafted audio file can bypass checks for this and trigger a buffer overflow
Never trust your inputs, folks.
The reason this comes up with HOA to me is not surprising: almost no one uses HOA, and a variety of other optimizations like assuming the "H" in HOA only refers to up to 128 channels (since afaik, no one even tries past that point).
> Imagine if the primitive is that you can write n 8 byte sequences out of bounds, but they must be valid 32 bit floats in the range x-y
I imagine the only thing you need to guarantee is you don't use subnormals, since audio code usually enables FTZ mode on both ARM and x86.
If these parsers can’t run inside an isolated process, perhaps they shouldn’t be enabled at all?
Users get even more frustrated when they want to play something and it does not work. Security is always a usability trade-off.
There is also an argument to be made that it is better for Apple to introduce a few bugs adding support for viewing/playing/etc random things than end users googling "how to play X" and downloading whatever app appears first in the results.
Remember the good 'ol days when everyone had Adobe Acrobat installed so they could open PDFs and it had a new 0day every month? Then one day Chrome added PDF.js and exploitation in the wild dropped off as people stopped downloading shitware to fill out rental applications.
"Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS."
That's an RCE, but nowhere near as bad as other recent exploits (CVE-2023-41064 and CVE-2023-41061) that include device and account takeover from an iMessage that you don't have to read. Also these typically don't rate highest severity (7.5/High) probably due to the limited scope of the targets.
https://www.tenable.com/cve/CVE-2025-31200
I'm sure Pegasus will come up with another exploit to replace this one.
No comments yet
This isn't being clever, it's actually incorrect to allocate a whole other vector. Realtime code requires O(1) memory complexity for correctness. Although the smart thing would be to preallocate a buffer for the pointers, but in general that may not be possible (I'm not an expert in CoreAudio but if the channels are interleaved and the next chunk of code expects to process in place you really do have to it this way).
It sounds like the CVE is super simple, reduced to:
- CoreAudio determines the number of channels before playback to create a resource, standard practice in audio processing
- It then trusts the number of channels of an incoming stream when using that resource
- A maliciously crafted audio file can bypass checks for this and trigger a buffer overflow
Never trust your inputs, folks.
The reason this comes up with HOA to me is not surprising: almost no one uses HOA, and a variety of other optimizations like assuming the "H" in HOA only refers to up to 128 channels (since afaik, no one even tries past that point).
> Imagine if the primitive is that you can write n 8 byte sequences out of bounds, but they must be valid 32 bit floats in the range x-y
I imagine the only thing you need to guarantee is you don't use subnormals, since audio code usually enables FTZ mode on both ARM and x86.