Google discloses slew of iMessage vulnerabilities

Apple urges all users to update their devices to iOS 12.4

Google's Project Zero has discovered six flaws in Apple's iMessage service that could allow attackers to execute malicious code on a user's device.

Extensive details and proof-of-concept (POC) code have been published by Natalie Silvanovich and Samuel Gro, two lead bug hunters on Project Zero, leaving the details of one "interactionless" vulnerability undisclosed while Apple works on a fix.

All disclosed vulnerabilities have been patched in Apple's latest iOS 12.4 update which all users are encouraged to update. The level of detail in the Project Zero disclosures, including examples of POC code would allow attackers to create working exploits to target all unpatched users.

All that would be required to execute code on a user's phone would be to send a malformed message no user interaction would be needed.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

One vulnerability would allow an attacker to extract files from a device to read them remotely and another was so effective that the only way to remove it would be to completely wipe the phone, erasing all data.

"For the protection of our customers, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are generally available," said an Apple spokesperson.

"Keeping your software up to date is one of the most important things you can do to maintain your Apple product's security," they added.

The bug disclosures highlight the importance of regularly updating devices when manufacturers roll them out. This is especially relevant to workplaces that enforce "bring your own device" (BYOD) policies employees could potentially bring vulnerable devices into work, connect to the company network and in turn, create an entry point for an attacker.

"These are serious vulnerabilities, which in the wrong hands could have been extremely dangerous," security analyst Graham Cluley told IT Pro. "Recent history has shown that intelligence agencies and authoritarian regimes have no qualms about exploiting smartphone vulnerabilities to spy on their enemies.

"It's great that Google has acted responsibly and informed Apple of the problem, and not disclosed details until Apple has had a chance to push out an update to its users," he added.

Advertisement - Article continues below

Silanovich is due to give a talk at next week's Black Hat security conference in Las Vegas on the remote vulnerabilities and attack surface of the iPhone.

An abstract of her talk reads: "There have been rumours of remote vulnerabilities requiring no user interaction being used to attack the iPhone, but limited information is available about the technical aspects of these attacks on modern devices."

"[The presentation] discusses the potential for vulnerabilities in SMS, MMS, Visual Voicemail, iMessage and Mail, and explains how to set up tooling to test these components. It also includes two examples of vulnerabilities discovered using these methods."

Google's Project Zero, founded in 2014, has a reputation for enforcing strict deadlines on companies whose products or services are found to have vulnerabilities.

Advertisement
Advertisement - Article continues below

The group disclosed a vulnerability in Microsoft Edge back in February 2018 after the Redmond-based company failed to fix it within the 90-day time frame afforded to it by Project Zero.

The disclosure meant Edge users became aware of a vulnerability that wouldn't be fixed for over a month, despite the creators having known about it for three months.

Advertisement - Article continues below

Luckily, the vulnerability wasn't as serious as a remote-code exploit: It just afforded attackers the opportunity to break down Microsoft's second layer of defence, known as an Arbitrary Code Guard (ACG), providing they already had a foothold on the system.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/hardware/354584/windows-10-and-the-tools-for-agile-working
Sponsored

Windows 10 and the tools for agile working

20 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/business-strategy/public-sector/354608/uk-gov-launches-ps300000-sen-edtech-initiative
public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020