Google Project Zero researchers have disclosed six iOS vulnerabilities, including four flaws that could allow for remote code execution attacks requiring no user interaction.
Project Zero security researchers Natalie Silvanovich and Samuel Groß discovered the issues. Four of the flaws (CVE-2019-8641, CVE-2019-8647, CVE-2019-8660 and CVE-2019-8662) could lead to RCE iOS attacks, while the other two (CVE-2019-8624 and CVE-2019-8646) could allow malicious actors to leak device data or read files remotely. All six iOS vulnerabilities can be exploited remotely without user interaction.
The researchers have released details on just five of the six vulnerabilities because those five issues were fixed in iOS 12.4, but one of the RCE flaws (CVE-2019-8641) has not yet been patched by Apple.
Included in the disclosures for all five iOS vulnerabilities was proof-of-concept code, making potential exploits easier to develop. Threat actors would be able to launch iOS attacks by sending exploits to targets through iMessage.
Sam BakkenSenior product marketing manager, OneSpan
Remote code execution vulnerabilities in iOS are some of the most valuable bugs that can be found. Zero-day acquisition company Zerodium, which has offered million-dollar bounties for certain iOS bugs since 2015, currently has RCE iMessage bugs valued at up to $1 million.
Sam Bakken, senior product marketing manager at OneSpan, said that although the iOS attacks would come via malicious iMessages, he wouldn't "recommend anything other than updating to the latest versions of iOS" in order to mitigate the risk.
"Users should also activate the auto-update feature, but they should also know that the auto-update will occur at some point in the seven days after the release of a new iOS version, not immediately. I, myself, have opted to force an immediate update manually," Bakken told SearchSecurity. "You can bet that any organization that deals in the surreptitious compromise of mobile devices is happy to take advantage of any information about iOS vulnerabilities and exploits that is out there. In addition, if they were already aware of these and other flaws, they're less likely to report the issues to Apple or Google. We should thank our lucky stars for security researchers like Natalie Silvanovich that find, report and help fix these sorts of issues."
Neither Apple nor Google responded to requests for comment at the time of this post.
Silvanovich will present her findings on these "interaction-less" iOS attacks at the Black Hat 2019 conference in Las Vegas next week.