Researchers disclose new batch of ‘interactionless’ iOS attacks

Researchers at Google‘s Project Zero, which is tasked with hunting bugs in software, have discovered a handful of iOS attacks.

ZDNet has the report this week. A couple of members of Project Zero were able to identify six security flaws related to iOS. Five of the six have proof-of-concept code already published, along with demos on how they work. Specifically, the researchers note that these exploits could be handled through the iMessage client.

However, the good news is that all six exploits have already been patched with the public launch of iOS 12.4. So while these latest security issues have already been patched, significantly reducing their effectiveness, it’s a reminder that staying up-to-date with the software you use every day is vitally important.

It’s worth noting that one of the bugs in this case is still being kept under wraps (at least for now), because while iOS 12.4 did patch all six, one of the bus has not been completely resolved, at least according to Natalie Silvanovich, one of the researchers who discovered the bugs. Samuel GroƟ is the other researcher who discovered the bugs.

According to the researcher, four of the six security bugs can lead to the execution of malicious code on a remote iOS device, with no user interaction needed. All an attacker needs to do is to send a malformed message to a victim’s phone, and the malicious code will execute once the user opens and views the received item.

The four bugs are CVE-2019-8641 (details kept private), CVE-2019-8647, CVE-2019-8660, and CVE-2019-8662. The linked bug reports contain technical details about each bug, but also proof-of-concept code that can be used to craft exploits.

The fifth and sixth bugs, CVE-2019-8624 and CVE-2019-8646, can allow an attacker to leak data from a device’s memory and read files off a remote device –also with no user interaction.

Bug hunting can lead to lucrative payouts. As pointed out in the original report, these types of vulnerabilities can rake in well over $1 million for the researcher. As such, it’s likely that this pool of security issues could have brought in upwards of $5 million, but could have also been valued as high as $24 million considering they worked on recent versions of iOS.

Basically, make sure to upgrade to iOS 12.4 as soon as you can if you haven’t already done so.