Google security researchers, part of the company’s elite Project Zero team, have found six serious security flaws in Apple’s iOS operating system, which powers iPhones and iPads. While all six security flaws have been patched in Apple’s iOS 12.4 update, which was released on July 22, one of the bugs is yet to be fully resolved. Details for that particular flaw have been kept secret. The flaws could be exploited via Apple’s iMessage app.
According to ZdNet, four of the security bugs would have allowed malicious code to be executed on remote iOS device with no interaction needed. Two of the flaws would allow an attack to leak memory and let an attacker read files off the device.
Five of these six security flaws are ‘interactionless’, which means that no particular action is required from the user for the attack to take place. What it also means is that attackers could have carried out attacks without being detected by exploiting these flaws.
Samuel Groß and Natalie Silvanovich are the two members of the Google Project Zero team who have been credited for six of the bugs. The six bugs discovered by them are CVE-2019-8646, CVE-2019-8647, CVE-2019-8660, CVE-2019-8641, and CVE-2019-8662, while bug CVE-2019-8663 is one for which only Natalie is credited. Details for CVE-2019-8641 are kept private for now.
Apple has published details of this on its support page as well, which it does for all security related updates.
The report on ZdNet also says that Natalie Silvanovich will be presenting about these remote and interactionless iPhone issues at the Black Hat security conference, which takes place in Las Vegas that will be held in Las Vegas next week. She will be presenting proof of concept for these attacks as well.
The abstract for her presentation reads, “This presentation explores the remote, interaction-less attack surface of iOS. It discusses the potential for vulnerabilities in SMS, MMS, Visual Voicemail, iMessage and Mail, and explains how to set up tooling to test these components. It also includes two examples of vulnerabilities discovered using these methods.”