Researchers at Google’s Project Zero have disclosed six vulnerabilities in Apple’s iMessage client that could be used to carry out attacks on iOS devices, such as the iPhone, with no user interaction.
All six of the issues were patched in Apple’s iOS 12.4 release last week, but Google withheld the details of one of the bugs, saying Apple’s fix had not fully addressed the issue.
Such flaws are particularly dangerous because they can be exploited without the user’s knowledge.
Four of the bugs can allow malicious code to be executed on a remote device by sending a specially crafted message to the user’s client, according to Google.
Those bugs are CVE-2019-8647, CVE-2019-8660, and CVE-2019-8662, with the fourth, CVE-2019-8641, being kept under wraps for the time being.
“We are withholding CVE-2019-8641 until its deadline because the fix in the advisory did not resolve the vulnerability,” said Natalie Silvanovich, one of the two researchers who discovered the flaws, on Twitter.
Google has provided sample exploit code for the other three bugs, meaning it would be relatively easy for attackers to make use of the flaws.
Users can mitigate this risk by applying the iOS update right away.
The other two bugs, CVE-2019-8624 and CVE-2019-8646, allow an attacker to obtain data from a device’s memory and read files from a remote device, according to Apple’s own notes on the issues.
Silvanovich is set to hold a talk on iOS bugs that can be exploited remotely without user interaction at the Black Hat security conference next week in Las Vegas.
Project Zero’s Samuel Groß also contributed to work on finding the six flaws.
ZDNet reported earlier on the iMessage bugs.
Apple’s Group FaceTime was hit by an embarrassing eavesdropping glitch earlier this year that forced it to temporarily disable the service.
Like the flaws discovered by Google, the FaceTime issue could be exploited remotely without user interaction.
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…