Categories: SecurityWorkspace

Google Reveals Multiple Remote iPhone Flaws

Researchers at Google’s Project Zero have disclosed six vulnerabilities in Apple’s iMessage client that could be used to carry out attacks on iOS devices, such as the iPhone, with no user interaction.

All six of the issues were patched in Apple’s iOS 12.4 release last week, but Google withheld the details of one of the bugs, saying Apple’s fix had not fully addressed the issue.

Such flaws are particularly dangerous because they can be exploited without the user’s knowledge.

Four of the bugs can allow malicious code to be executed on a remote device by sending a specially crafted message to the user’s client, according to Google.

Exploit code

Those bugs are CVE-2019-8647, CVE-2019-8660, and CVE-2019-8662, with the fourth,  CVE-2019-8641, being kept under wraps for the time being.

“We are withholding CVE-2019-8641 until its deadline because the fix in the advisory did not resolve the vulnerability,” said Natalie Silvanovich, one of the two researchers who discovered the flaws, on Twitter.

Google has provided sample exploit code for the other three bugs, meaning it would be relatively easy for attackers to make use of the flaws.

Users can mitigate this risk by applying the iOS update right away.

Remote flaws

The other two bugs, CVE-2019-8624 and CVE-2019-8646, allow an attacker to obtain data from a device’s memory and read files from a remote device, according to Apple’s own notes on the issues.

Silvanovich is set to hold a talk on iOS bugs that can be exploited remotely without user interaction at the Black Hat security conference next week in Las Vegas.

Project Zero’s Samuel Groß also contributed to work on finding the six flaws.

ZDNet reported earlier on the iMessage bugs.

Apple’s Group FaceTime was hit by an embarrassing eavesdropping glitch earlier this year that forced it to temporarily disable the service.

Like the flaws discovered by Google, the FaceTime issue could be exploited remotely without user interaction.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

4 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

6 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

8 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

8 hours ago