Google discloses slew of iMessage vulnerabilities

Apple urges all users to update their devices to iOS 12.4

Google's Project Zero has discovered six flaws in Apple's iMessage service that could allow attackers to execute malicious code on a user's device.

Extensive details and proof-of-concept (POC) code have been published by Natalie Silvanovich and Samuel Gro, two lead bug hunters on Project Zero, leaving the details of one "interactionless" vulnerability undisclosed while Apple works on a fix.

All disclosed vulnerabilities have been patched in Apple's latest iOS 12.4 update which all users are encouraged to update. The level of detail in the Project Zero disclosures, including examples of POC code would allow attackers to create working exploits to target all unpatched users.

All that would be required to execute code on a user's phone would be to send a malformed message no user interaction would be needed.

One vulnerability would allow an attacker to extract files from a device to read them remotely and another was so effective that the only way to remove it would be to completely wipe the phone, erasing all data.

"For the protection of our customers, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are generally available," said an Apple spokesperson.

"Keeping your software up to date is one of the most important things you can do to maintain your Apple product's security," they added.

The bug disclosures highlight the importance of regularly updating devices when manufacturers roll them out. This is especially relevant to workplaces that enforce "bring your own device" (BYOD) policies employees could potentially bring vulnerable devices into work, connect to the company network and in turn, create an entry point for an attacker.

"These are serious vulnerabilities, which in the wrong hands could have been extremely dangerous," security analyst Graham Cluley told IT Pro. "Recent history has shown that intelligence agencies and authoritarian regimes have no qualms about exploiting smartphone vulnerabilities to spy on their enemies.

"It's great that Google has acted responsibly and informed Apple of the problem, and not disclosed details until Apple has had a chance to push out an update to its users," he added.

Silanovich is due to give a talk at next week's Black Hat security conference in Las Vegas on the remote vulnerabilities and attack surface of the iPhone.

An abstract of her talk reads: "There have been rumours of remote vulnerabilities requiring no user interaction being used to attack the iPhone, but limited information is available about the technical aspects of these attacks on modern devices."

"[The presentation] discusses the potential for vulnerabilities in SMS, MMS, Visual Voicemail, iMessage and Mail, and explains how to set up tooling to test these components. It also includes two examples of vulnerabilities discovered using these methods."

Google's Project Zero, founded in 2014, has a reputation for enforcing strict deadlines on companies whose products or services are found to have vulnerabilities.

The group disclosed a vulnerability in Microsoft Edge back in February 2018 after the Redmond-based company failed to fix it within the 90-day time frame afforded to it by Project Zero.

The disclosure meant Edge users became aware of a vulnerability that wouldn't be fixed for over a month, despite the creators having known about it for three months.

Luckily, the vulnerability wasn't as serious as a remote-code exploit: It just afforded attackers the opportunity to break down Microsoft's second layer of defence, known as an Arbitrary Code Guard (ACG), providing they already had a foothold on the system.

Featured Resources

Four cyber security essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

Data: A resource much too valuable to leave unprotected

Protect your data to protect your company

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

Recommended

What are biometrics?
Security

What are biometrics?

27 Nov 2020
Black Friday's best antivirus deals
Security

Black Friday's best antivirus deals

27 Nov 2020
Veritas Access Appliance with IBM Spectrum® Protect
Server & storage

Veritas Access Appliance with IBM Spectrum® Protect

27 Nov 2020
Ransomware protection with Veritas NetBackup Appliances
Security

Ransomware protection with Veritas NetBackup Appliances

27 Nov 2020

Most Popular

46 million Animal Jam accounts leaked after comms software breach
Security

46 million Animal Jam accounts leaked after comms software breach

13 Nov 2020
macOS Big Sur is bricking some older MacBooks
operating systems

macOS Big Sur is bricking some older MacBooks

16 Nov 2020
Huawei Mate 40 Pro 5G review: A tragically brilliant Mate
Mobile Phones

Huawei Mate 40 Pro 5G review: A tragically brilliant Mate

26 Nov 2020