“Two of the bugs allow the attacker to leak data from a device’s memory and read files off a remote device, all without user interaction”
Google security researchers have discovered six ‘Zero Interaction’ iOS vulnerabilities that allow the attacker to take control of the phone when users just receive and open a message. However, five of them have been fixed in iOS 12.4, but Apple is yet to fix the sixth and last one. The bugs were discovered by Silvanovich and Google Project Zero security researcher Samuel Groß. According to Google researcher, four of the six security bugs can execute the malicious code on a remote iOS device, with no user interaction needed. All an attacker needs to do is send a message to a victim’s phone and the malicious code will execute once the user opens and views the received message. The fifth and sixth bugs allow the attacker to leak data from a device’s memory and read files off a remote device, all without user interaction.
The four bugs are CVE-2019-8641, CVE-2019-8647, CVE-2019-8660, and CVE-2019-8662. While Apple tried to remove all six vulnerabilities in iOS 12.4, Google claims it didn’t completely do that. A ZDNet report says, “Details about one of the “interactionless” vulnerabilities have been kept private because Apple’s iOS 12.4 patch did not completely resolve the bug, according to Natalie Silvanovich, one of the two Google Project Zero researchers who found and reported the bugs.” Google first reported the issues to Apple to allow it to issue patches before the team disclosed all the details.
Details of the remaining five exploits will be shared at the Black Hat security conference in Las Vegas next week. ‘Zero-interaction’ or ‘frictionless’ vulnerabilities are claimed to be the most dangerous and the zero-interaction relies on opening a message. The message could be sent via SMS, MMS, iMessage, Mail or even Visual Voicemail. Since iOS 12.4 includes a serious security fix, it is suggested you update if you haven’t already.