قالب وردپرس درنا توس
Home / Technology / Google's Project Zero finds six "no-interaction" iOS vulnerabilities in the iMessage app

Google's Project Zero finds six "no-interaction" iOS vulnerabilities in the iMessage app



An Apple Store in NYC, 2018.
Photo: Mark Lennihan (AP)

Apple released bug fixes for five important security issues in iOS that can be exploited over its iMessage client app last week after it was discovered by researchers from its competitor Google Exploit-Hunting Project Zero, although the BBC reported an additional issue and was not fully resolved in the iOS 12.4 update.

All of them were remote and non-interactive, meaning an attacker could exploit them without the owner of the target device having to do anything. Of the vulnerabilities that were fixed, one was so serious that it could only be fixed by deleting one device with the loss of all data, while another could be used to remove data from a device, the BBC wrote. The sixth bug, which has not been resolved in iOS 12.4 and can still be exploited, seems to be serious, the BBC wrote, but Project Zero Researcher Natalie Silvanovich tweeted that they withheld details until a deadline for the fix has expired:

Apple's own notes on iOS 12.4 indicate that the unresolved bug could give hackers the opportunity to crash an app or run their own commands on newer iPhones, iPads, and iPod touches if they did they could discover.

Apple has not commented on this specific issue, but has asked users to install the new version of iOS, which will fix Google's other discoveries and a host of other issues and threats.

The most important thing you can do to ensure the safety of your Apple product, "states a statement.

According to ZDNet, it would be possible for Silvanovich and his colleague Samuel Gross, researchers at Project Zero, to sell the five no-user Interacti. Vulnerabilities on the black market or at exploit providers could easily have cost them at least a million dollars – because they offer hackers the ability to infiltrate a target device undetected. Crowdfense, an exploit provider, told the site that since they did not need clicks to set up an attack, and they had the latest versions of iOS, they each cost $ 2-4 million for a total of 20-24 Could have achieved millions of dollars.

So it's more fortunate that Project Zero discovered this than trying to use it. According to ZDNet, at the Black Hat Cybersecurity conference next week, Silvanovich will hold a planned talk on interactionless vulnerabilities on the iPhone. The abstract of the talk reads: "Explains the potential for SMS, MMS, Visual Voicemail, iMessage, and Mail vulnerabilities and how to set up tools to test these components.

The five bugs fixed are listed as CVE-2019-8624, CVE-2019-8646, CVE-2019-8647, CVE-2019-8660, and CVE-2019-8662.

[BBC/ZDNet]

Correction: In an earlier version of this article, the version number of the iOS update was set to 2.4 incorrectly. The latest update for iOS 2 was version 2.2.1 in 2009. The latest update for iOS is obviously version 12.4, and the author asks you to mock him in the comments below.


Source link