Apple software has a bug rendering certain PNGs wrong.
It was fixed by Apple the other day:
A vulnerability was found in Apple Safari up to 15.0 (web browser). It was classified as critical. This affects an unknown function of the component WebKit. The manipulation with an unknown input leads to a race condition vulnerability. Using CWE to declare the problem leads to CWE-362. This has an impact on confidentiality, integrity and availability. The weakness was published 12/14/2021 with Kunlun Lab as HT212982 as confirmed advisory (website). The advisory can be downloaded from support.apple.com. The vulnerability is identified as CVE-2021-30984. Exploitability is known to be easy. The attack can happen over the network. The exploitation does not require any specific authentication. It is assumed that the victim is taking a specific act. Neither technical details nor an exploit for the vulnerability are known. It must be assumed that an exploit currently costs around USD $ 0- $ 5k (calculated as of December 17, 2021). The advisory points out:
Manufacturer: Apple
Name: Safari
GitHub - DavidBuchanan314/ambiguous-png-packer: Craft PNG files that appear completely different in Apple software [NOW PATCHED]
Craft PNG files that appear completely different in Apple software [NOW PATCHED] - DavidBuchanan314/ambiguous-png-packer
github.com
It was fixed by Apple the other day:
About the security content of Safari 15.2
This document describes the security content of Safari 15.2.
support.apple.com
A vulnerability was found in Apple Safari up to 15.0 (web browser). It was classified as critical. This affects an unknown function of the component WebKit. The manipulation with an unknown input leads to a race condition vulnerability. Using CWE to declare the problem leads to CWE-362. This has an impact on confidentiality, integrity and availability. The weakness was published 12/14/2021 with Kunlun Lab as HT212982 as confirmed advisory (website). The advisory can be downloaded from support.apple.com. The vulnerability is identified as CVE-2021-30984. Exploitability is known to be easy. The attack can happen over the network. The exploitation does not require any specific authentication. It is assumed that the victim is taking a specific act. Neither technical details nor an exploit for the vulnerability are known. It must be assumed that an exploit currently costs around USD $ 0- $ 5k (calculated as of December 17, 2021). The advisory points out:
- Processing maliciously crafted web content may lead to arbitrary code execution
- A race condition was addressed with improved state handling.
Manufacturer: Apple
Name: Safari