Google discloses slew of iMessage vulnerabilities

Apple urges all users to update their devices to iOS 12.4

Google's Project Zero has discovered six flaws in Apple's iMessage service that could allow attackers to execute malicious code on a user's device.

Extensive details and proof-of-concept (POC) code have been published by Natalie Silvanovich and Samuel Gro, two lead bug hunters on Project Zero, leaving the details of one "interactionless" vulnerability undisclosed while Apple works on a fix.

Advertisement - Article continues below

All disclosed vulnerabilities have been patched in Apple's latest iOS 12.4 update which all users are encouraged to update. The level of detail in the Project Zero disclosures, including examples of POC code would allow attackers to create working exploits to target all unpatched users.

All that would be required to execute code on a user's phone would be to send a malformed message no user interaction would be needed.

One vulnerability would allow an attacker to extract files from a device to read them remotely and another was so effective that the only way to remove it would be to completely wipe the phone, erasing all data.

"For the protection of our customers, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are generally available," said an Apple spokesperson.

"Keeping your software up to date is one of the most important things you can do to maintain your Apple product's security," they added.

The bug disclosures highlight the importance of regularly updating devices when manufacturers roll them out. This is especially relevant to workplaces that enforce "bring your own device" (BYOD) policies employees could potentially bring vulnerable devices into work, connect to the company network and in turn, create an entry point for an attacker.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"These are serious vulnerabilities, which in the wrong hands could have been extremely dangerous," security analyst Graham Cluley told IT Pro. "Recent history has shown that intelligence agencies and authoritarian regimes have no qualms about exploiting smartphone vulnerabilities to spy on their enemies.

"It's great that Google has acted responsibly and informed Apple of the problem, and not disclosed details until Apple has had a chance to push out an update to its users," he added.

Silanovich is due to give a talk at next week's Black Hat security conference in Las Vegas on the remote vulnerabilities and attack surface of the iPhone.

An abstract of her talk reads: "There have been rumours of remote vulnerabilities requiring no user interaction being used to attack the iPhone, but limited information is available about the technical aspects of these attacks on modern devices."

"[The presentation] discusses the potential for vulnerabilities in SMS, MMS, Visual Voicemail, iMessage and Mail, and explains how to set up tooling to test these components. It also includes two examples of vulnerabilities discovered using these methods."

Advertisement - Article continues below

Google's Project Zero, founded in 2014, has a reputation for enforcing strict deadlines on companies whose products or services are found to have vulnerabilities.

The group disclosed a vulnerability in Microsoft Edge back in February 2018 after the Redmond-based company failed to fix it within the 90-day time frame afforded to it by Project Zero.

The disclosure meant Edge users became aware of a vulnerability that wouldn't be fixed for over a month, despite the creators having known about it for three months.

Luckily, the vulnerability wasn't as serious as a remote-code exploit: It just afforded attackers the opportunity to break down Microsoft's second layer of defence, known as an Arbitrary Code Guard (ACG), providing they already had a foothold on the system.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement
Advertisement

Recommended

Visit/security/hacking/356478/researchers-detail-tetrade-family-of-brazilian-banking-trojans
hacking

Researchers detail Tetrade family of Brazilian banking trojans

16 Jul 2020
Visit/security/ransomware/356292/university-of-california-gets-fleeced-by-hackers-for-114-million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Visit/security/cyber-security/356289/australia-announces-135b-investment-in-cybersecurity
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
Visit/cloud/cloud-security/356288/csa-and-issa-form-cybersecurity-partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020

Most Popular

Visit/business-strategy/careers-training/356422/ibm-job-ad-calls-for-12-year-experience-with-6-year-old
Careers & training

IBM job ad calls for 12-years of experience with six-year-old Kubernetes

13 Jul 2020
Visit/development/containers/356391/the-rise-of-containers
Sponsored

The rise of containers

9 Jul 2020
Visit/business/business-operations/356395/nvidia-overtakes-intel-as-most-valuable-us-chipmaker
Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020