14 DAY TRIAL // A Google security engineer discovered a critical bug in Apple’s iMessage platform that allowed an attacker to obtain access to data stored on an iPhone.
Natalie Silvanovich, security researcher and part of the Google Project Zero team, says they discovered a total of five different bugs in iMessage.
All of them have already been reported to Apple and are subject to a 90-day disclosure policy, as per the Project Zero program. According to the researcher, the five issues are the following:
| CVE-2019-8647 - remote, interactionless use-after-free |
| CVE-2019-8662 - similar to CVE-2019-8647 |
| CVE-2019-8660 - remote, interactionless memory corruption |
| CVE-2019-8646 - allows an attacker to read files off a remote device with no user interaction, as user mobile with no sandbox |
| CVE-2019-8641 - still private, as fix not yet available |
Patch already available
The iMessage bug, which can be reproduced using the instructions on the page linked above, was reported to Apple back in May. The company included a patch in iOS 12.4, so iPhone users are recommended to install the new software update as soon as possible.
In a technical analysis of the bug, the security researcher explains devices running iOS 12 and later are vulnerable.
“The class _NSDataFileBackedFuture can be deserialized even if secure encoding is enabled. This issue was fixed in 12.4 by preventing this class from being decoded unless it is explicitly added to the allow list. Better filtering of the file URL was also implemented,” Silvanovich explains.
Needless to say, given the complex approach required to exploit the bug, it’s unlikely that any user was targeted by an attack based on this vulnerability, albeit users are advised to install iOS 12.4, especially given that the steps to reproduce the issue are already available online.
Apple hasn’t said a single word about this vulnerability patched in the latest stable update for iOS.