CVE-2020-9789 – This vulnerability allows attackers to execute ... (How to Fix)

Q: What is the severity of CVE-2020-9789?

CVE-2020-9789 has a CVSS score of 8.8 (HIGH). This vulnerability allows attackers to execute arbitrary code by tricking users into processing a maliciously crafted image. It affects Apple devices and software including iOS, macOS, tvOS, watchOS, and Windows versions of iTunes and iCloud. Successful exploitation could give attackers full control of the affected system.

📋 TL;DR

This vulnerability allows attackers to execute arbitrary code by tricking users into processing a maliciously crafted image. It affects Apple devices and software including iOS, macOS, tvOS, watchOS, and Windows versions of iTunes and iCloud. Successful exploitation could give attackers full control of the affected system.

💻 Affected Systems

Products:

iOS
iPadOS
macOS Catalina
tvOS
watchOS
iTunes for Windows
iCloud for Windows

Versions: Versions prior to iOS 13.5, iPadOS 13.5, macOS Catalina 10.15.5, tvOS 13.4.5, watchOS 6.2.5, iTunes 12.10.7 for Windows, iCloud for Windows 11.2, iCloud for Windows 7.19

Operating Systems: iOS, iPadOS, macOS, tvOS, watchOS, Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected software versions are vulnerable. The vulnerability is in image processing libraries.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Malware installation, credential theft, or unauthorized access to sensitive data on the compromised device.

🟢

If Mitigated

Limited impact if systems are fully patched, network segmentation is in place, and user education prevents malicious image processing.

🌐 Internet-Facing: MEDIUM - Requires user interaction to process malicious images, but common attack vectors include email attachments, web downloads, or messaging apps.

🏢 Internal Only: LOW - Primarily requires user interaction with malicious content, which is less likely in controlled internal environments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction to process a malicious image, but no authentication is needed once the image is processed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: iOS 13.5, iPadOS 13.5, macOS Catalina 10.15.5, tvOS 13.4.5, watchOS 6.2.5, iTunes 12.10.7 for Windows, iCloud for Windows 11.2, iCloud for Windows 7.19

Vendor Advisory: https://support.apple.com/HT211168

Restart Required: Yes

Instructions:

1. Open Settings (iOS/iPadOS/watchOS) or System Preferences (macOS). 2. Navigate to Software Update. 3. Download and install the latest update. 4. For Windows software, open iTunes or iCloud and check for updates in the Help menu.

🔧 Temporary Workarounds

Disable automatic image processing

all

Configure email clients and web browsers to not automatically download or process images from untrusted sources.

User education and policies

all

Train users to avoid opening images from unknown sources and implement policies restricting image processing from untrusted locations.

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable systems from critical assets
Deploy application allowlisting to prevent execution of unauthorized code

🔍 How to Verify

Check if Vulnerable:

Check the current version against affected versions listed in the Apple security advisories.

Check Version:

iOS/iPadOS: Settings > General > About > Version. macOS: Apple menu > About This Mac. Windows software: Help > About in iTunes/iCloud.

Verify Fix Applied:

Verify the installed version matches or exceeds the patched versions: iOS/iPadOS 13.5+, macOS Catalina 10.15.5+, tvOS 13.4.5+, watchOS 6.2.5+, iTunes 12.10.7+, iCloud for Windows 11.2+ or 7.19+.

📡 Detection & Monitoring

Log Indicators:

Unexpected process crashes in image processing services
Suspicious file creation or execution following image file access

Network Indicators:

Unusual outbound connections from devices after image processing
Downloads of suspicious image files from untrusted sources

SIEM Query:

source="apple-device-logs" AND (event="process_crash" AND process="image*" OR event="file_execution" AND file_type="image")

📊 Metadata

CVE ID: CVE-2020-9789

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: June 9, 2020

Last Updated: November 21, 2024

🔗 References

https://support.apple.com/HT211168 Release Notes,Vendor Advisory
https://support.apple.com/HT211170 Release Notes,Vendor Advisory
https://support.apple.com/HT211171 Release Notes,Vendor Advisory
https://support.apple.com/HT211175 Release Notes,Vendor Advisory
https://support.apple.com/HT211178 Release Notes,Vendor Advisory
https://support.apple.com/HT211179 Release Notes,Vendor Advisory
https://support.apple.com/HT211181 Release Notes,Vendor Advisory
https://support.apple.com/HT211168 Release Notes,Vendor Advisory
https://support.apple.com/HT211170 Release Notes,Vendor Advisory
https://support.apple.com/HT211171 Release Notes,Vendor Advisory
https://support.apple.com/HT211175 Release Notes,Vendor Advisory
https://support.apple.com/HT211178 Release Notes,Vendor Advisory
https://support.apple.com/HT211179 Release Notes,Vendor Advisory
https://support.apple.com/HT211181 Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-9789, you might also want to check these: