Google Reveals Multiple Remote iPhone Flaws

Bugs discovered by Google’s Project Zero can be exploited with no user interaction to execute malicious code – with one flaw still remaining to be fixed

Researchers at Google’s Project Zero have disclosed six vulnerabilities in Apple’s iMessage client that could be used to carry out attacks on iOS devices, such as the iPhone, with no user interaction.

All six of the issues were patched in Apple’s iOS 12.4 release last week, but Google withheld the details of one of the bugs, saying Apple’s fix had not fully addressed the issue.

Such flaws are particularly dangerous because they can be exploited without the user’s knowledge.

Four of the bugs can allow malicious code to be executed on a remote device by sending a specially crafted message to the user’s client, according to Google.

Exploit code

Those bugs are CVE-2019-8647, CVE-2019-8660, and CVE-2019-8662, with the fourth,  CVE-2019-8641, being kept under wraps for the time being.

“We are withholding CVE-2019-8641 until its deadline because the fix in the advisory did not resolve the vulnerability,” said Natalie Silvanovich, one of the two researchers who discovered the flaws, on Twitter.

Google has provided sample exploit code for the other three bugs, meaning it would be relatively easy for attackers to make use of the flaws.

Users can mitigate this risk by applying the iOS update right away.

Remote flaws

The other two bugs, CVE-2019-8624 and CVE-2019-8646, allow an attacker to obtain data from a device’s memory and read files from a remote device, according to Apple’s own notes on the issues.

Silvanovich is set to hold a talk on iOS bugs that can be exploited remotely without user interaction at the Black Hat security conference next week in Las Vegas.

Project Zero’s Samuel Groß also contributed to work on finding the six flaws.

ZDNet reported earlier on the iMessage bugs.

Apple’s Group FaceTime was hit by an embarrassing eavesdropping glitch earlier this year that forced it to temporarily disable the service.

Like the flaws discovered by Google, the FaceTime issue could be exploited remotely without user interaction.