Google discloses slew of iMessage vulnerabilities

Apple urges all users to update their devices to iOS 12.4

Google's Project Zero has discovered six flaws in Apple's iMessage service that could allow attackers to execute malicious code on a user's device.

Extensive details and proof-of-concept (POC) code have been published by Natalie Silvanovich and Samuel Gro, two lead bug hunters on Project Zero, leaving the details of one "interactionless" vulnerability undisclosed while Apple works on a fix.

All disclosed vulnerabilities have been patched in Apple's latest iOS 12.4 update which all users are encouraged to update. The level of detail in the Project Zero disclosures, including examples of POC code would allow attackers to create working exploits to target all unpatched users.

All that would be required to execute code on a user's phone would be to send a malformed message no user interaction would be needed.

One vulnerability would allow an attacker to extract files from a device to read them remotely and another was so effective that the only way to remove it would be to completely wipe the phone, erasing all data.

"For the protection of our customers, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are generally available," said an Apple spokesperson.

"Keeping your software up to date is one of the most important things you can do to maintain your Apple product's security," they added.

The bug disclosures highlight the importance of regularly updating devices when manufacturers roll them out. This is especially relevant to workplaces that enforce "bring your own device" (BYOD) policies employees could potentially bring vulnerable devices into work, connect to the company network and in turn, create an entry point for an attacker.

"These are serious vulnerabilities, which in the wrong hands could have been extremely dangerous," security analyst Graham Cluley told IT Pro. "Recent history has shown that intelligence agencies and authoritarian regimes have no qualms about exploiting smartphone vulnerabilities to spy on their enemies.

"It's great that Google has acted responsibly and informed Apple of the problem, and not disclosed details until Apple has had a chance to push out an update to its users," he added.

Silanovich is due to give a talk at next week's Black Hat security conference in Las Vegas on the remote vulnerabilities and attack surface of the iPhone.

An abstract of her talk reads: "There have been rumours of remote vulnerabilities requiring no user interaction being used to attack the iPhone, but limited information is available about the technical aspects of these attacks on modern devices."

"[The presentation] discusses the potential for vulnerabilities in SMS, MMS, Visual Voicemail, iMessage and Mail, and explains how to set up tooling to test these components. It also includes two examples of vulnerabilities discovered using these methods."

Google's Project Zero, founded in 2014, has a reputation for enforcing strict deadlines on companies whose products or services are found to have vulnerabilities.

The group disclosed a vulnerability in Microsoft Edge back in February 2018 after the Redmond-based company failed to fix it within the 90-day time frame afforded to it by Project Zero.

The disclosure meant Edge users became aware of a vulnerability that wouldn't be fixed for over a month, despite the creators having known about it for three months.

Luckily, the vulnerability wasn't as serious as a remote-code exploit: It just afforded attackers the opportunity to break down Microsoft's second layer of defence, known as an Arbitrary Code Guard (ACG), providing they already had a foothold on the system.

Featured Resources

How to be an MSP: Seven steps to success

Building your business from the ground up

Download now

The smart buyer’s guide to flash

Find out whether flash storage is right for your business

Download now

How MSPs build outperforming sales teams

The definitive guide to sales

Download now

The business guide to ransomware

Everything you need to know to keep your company afloat

Download now

Recommended

Cyber attacks on manufacturing up 300% in a year
Security

Cyber attacks on manufacturing up 300% in a year

11 May 2021
US fuel pipeline hackers reveal their motive
ransomware

US fuel pipeline hackers reveal their motive

11 May 2021
Apple's AirTag tracker has already been hacked
hacking

Apple's AirTag tracker has already been hacked

10 May 2021
Trend Micro and Snyk team up to combat open source flaws
vulnerability

Trend Micro and Snyk team up to combat open source flaws

10 May 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021