In a statement, the researchers said on Thursday the vulnerabilities had been found in the ALAC format — Apple Lossless Audio Codec — and patched in December 2021 by the two chip companies.
Check Point did not specify why it had waited so long to release the few details it did about this vulnerability. Neither Qualcomm nor MediaTek have issued public statements about these vulnerabilities.
Qualcomm assigned CVE-2021-30351 for the vulnerabilities in its December update, while MediaTek assigned CVE-2021-0674 and CVE-2021-0675 to the ALAC flaws in the same month.
|
CheckPointSW: .@_CPResearch_ discovered vulnerabilities in the #ALAC format that could have led an attacker to remotely get access to its media and audio conversations. CPR estimates that over two-thirds of the world's phones were vulnerable at some poin… pic.twitter.com/U6Uuv6o3GI
— CheckPointNederland (@CheckPoint_NL) April 21, 2022
The researchers said ALAC had been developed by Apple and first used in 2004 for lossless data compression.
They said the code had been open-sourced in 2011 and, since then, had been used in non-Apple devices. No specific devices were mentioned.
"Since then Apple has been updating the proprietary version of the decoder several times, fixing and patching security issues, but the shared code has not been patched since 2011," the researchers noted.
"Many third-party vendors use the Apple-supplied code as the basis for their own ALAC implementations, and it’s fair to assume that many of them do not maintain the external code."
They said the vulnerabilities could be used for a remote attack. This could "range from malware execution to an attacker gaining control over a user’s multimedia data, including streaming from a compromised machine’s camera".
"In addition, an unprivileged Android app could use these vulnerabilities to escalate its privileges and gain access to media data and user conversations," the statement said.
Thanks to Dan Goodin of Ars Technica for a link to the Check Point statement.