Categories: SecurityWorkspace

Google Reveals Multiple Remote iPhone Flaws

Researchers at Google’s Project Zero have disclosed six vulnerabilities in Apple’s iMessage client that could be used to carry out attacks on iOS devices, such as the iPhone, with no user interaction.

All six of the issues were patched in Apple’s iOS 12.4 release last week, but Google withheld the details of one of the bugs, saying Apple’s fix had not fully addressed the issue.

Such flaws are particularly dangerous because they can be exploited without the user’s knowledge.

Four of the bugs can allow malicious code to be executed on a remote device by sending a specially crafted message to the user’s client, according to Google.

Exploit code

Those bugs are CVE-2019-8647, CVE-2019-8660, and CVE-2019-8662, with the fourth,  CVE-2019-8641, being kept under wraps for the time being.

“We are withholding CVE-2019-8641 until its deadline because the fix in the advisory did not resolve the vulnerability,” said Natalie Silvanovich, one of the two researchers who discovered the flaws, on Twitter.

Google has provided sample exploit code for the other three bugs, meaning it would be relatively easy for attackers to make use of the flaws.

Users can mitigate this risk by applying the iOS update right away.

Remote flaws

The other two bugs, CVE-2019-8624 and CVE-2019-8646, allow an attacker to obtain data from a device’s memory and read files from a remote device, according to Apple’s own notes on the issues.

Silvanovich is set to hold a talk on iOS bugs that can be exploited remotely without user interaction at the Black Hat security conference next week in Las Vegas.

Project Zero’s Samuel Groß also contributed to work on finding the six flaws.

ZDNet reported earlier on the iMessage bugs.

Apple’s Group FaceTime was hit by an embarrassing eavesdropping glitch earlier this year that forced it to temporarily disable the service.

Like the flaws discovered by Google, the FaceTime issue could be exploited remotely without user interaction.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Amazon Alexa Recovers After Morning Outage

Alexa wake up alarm didn't work this morning? Smart lights didn't turn on? Outage of…

3 days ago

UK, Australia Reach Cyber, Critical Tech Agreement

Australia says it will 'fight back' against nation state cyberattacks, after agreements with the UK…

3 days ago

Italian Regulator Recalculates Apple, Amazon Fines

Italian regulator admits it has redetermined the fines against Apple and Amazon, over the sale…

3 days ago

Red Cross ‘Appalled’ As Hackers Steal Humanitarian Data Of 515,000 People

A new low. International Committee of the Red Cross shuts down reunification system, after hackers…

4 days ago

Russia Proposes Ban On Cryptocurrencies, Crypto Mining

Russia's central bank has this week proposed the banning on the use and mining of…

4 days ago