Apple released patches for all six security bugs as part of iOS 12.4, but one remains exploitable according to Google’s Project Zero team.
If you own an iOS device such as an iPhone or iPad, install iOS 12.4 as soon as possible. It fixes most, but not all security vulnerabilities recently discovered by Google’s Project Zero security team, which require no interaction by the user to be exploited.
As ZDNet reports, Google employs a team of security analysts under the banner of Project Zero tasked with discovering zero-day vulnerabilities and informing the relevant company so they can be fixed rather than exploited. Two Project Zero security researchers (Natalie Silvanovich and Samuel Groß) recently discovered six iOS vulnerabilities and reported them to Apple.
The problem is, Apple released iOS 12.4 last week with patches for all six vulnerabilities, but one still remains exploitable even with the patch applied. All six are serious security flaws and deemed “interactionless,” meaning no user input is required for them to exploit an iOS device.
An attack comes in the form of a malformed iMessage. Four of the vulnerabilities use malicious code attached to a message which gets executed automatically when the message is opened. The other two rely on memory leaks to access data on the device remotely.
Because Apple has only successfully fixed five of the six exploits, Project Zero decided to only publish details and demo code for five of the bugs (CVE-2019-8624, CVE-2019-8646, CVE-2019-8647, CVE-2019-8660, and CVE-2019-8662), therefore allowing Apple more time to release another patch. If you’re wondering how much these exploits would be worth on the open market, each could easily sell for over $1 million.
Until the final exploit has been properly patched, iOS users should be extra cautious as to the messages they choose to open in iMessage. One of the researchers, Natalie Silvanovich, will be giving a presentation next week at the Black Hat security conference in Las Vegas on remote and interactionless iPhone exploits.