Two members of Project Zero, Google's elite troubleshooting team, have released details and demo exploit code for five out of six "interactionless" vulnerabilities affecting the iOS OS and beyond iMessage can be exploited client.
All six vulnerabilities were resolved last week, July 22, with Apple's iOS 1
Details of one of the "no-interaction" vulnerabilities have been kept secret as Apple's iOS 12.4 patch does not completely fix the problem According to Natalie Silvanovich, one of the two researchers at Google Project Zero, who found and reported the bugs.
Four errors lead to RCEs without user interaction.
According to the researchers, four of the six security bugs can lead to malicious code running on a remote iOS device without requiring user interaction. An attacker only needs to send a bad message to a victim's phone. The malicious code is executed as soon as the user has opened and displayed the received object.
The four bugs are CVE-2019-8641 (details are kept secret) CVE-2019-8647, CVE-2019-8660 and CVE-2019-8662. The linked bug reports provide technical details about each bug but also proof-of-concept code that can be used to create exploits.
The fifth and sixth errors, CVE-2019-8624 and CVE-2019-8646, may allow an attacker to lose data from device memory and read files from a remote device, even without user interaction.
While it's always a good idea to install security updates as they become available, Concept Code means that users should install the iOS 12.4 release without further delay.
Bugs worth well over $ 5 million
The bugs were discovered by Silvanovich and his colleague Samuel Gross, the security researcher for Google Project Zero.
Silvanovich will do so at the Black Hat Security Conference, which will be held in Las Vegas next week, to give a presentation on the iPhone's vulnerabilities remotely and without interaction.
According to a summary of Silvanovich's presentation, only limited information is available on the technical aspects of these attacks on modern equipment.
This presentation examines the iOS remote attack-less attack surface. It discusses the potential for vulnerabilities in SMS, MMS, visual voicemail, iMessage, and mail, and explains how to set up tools to test these components. It also contains two examples of vulnerabilities that were discovered using these methods. "
Silvanovich's talk will attract much attention next week – to date, the arsenal of exploit providers and publishers has typically found iOS bugs without user interaction
Such vulnerabilities, according to a pricing table published by Zerodium, may occur when they occur It would not be an exaggeration to say so Silvanovich has just released details on exploits worth well over $ 5 million and most likely worth around $ 10 million US Dollars.
Other Vulnerability Reports: