Two members of Project Zero, Google’s elite bug-hunting team, have published details and demo exploit code for five of six “interactionless” security bugs that impact the iOS operating system and can be exploited via the iMessage client.
All six security flaws were patched last week, on July 22, with Apple’s iOS 12.4 release.
Details about one of the “interactionless” vulnerabilities have been kept private because Apple’s iOS 12.4 patch did not completely resolve the bug, according to Natalie Silvanovich, one of the two Google Project Zero researchers who found and reported the bugs.
Four bugs lead to no-user-interaction RCEs
According to the researcher, four of the six security bugs can lead to the execution of malicious code on a remote iOS device, with no user interaction needed. All an attacker needs to do is to send a malformed message to a victim’s phone, and the malicious code will execute once the user opens and views the received item.
The four bugs are CVE-2019-8641 (details kept private), CVE-2019-8647, CVE-2019-8660, and CVE-2019-8662. The linked bug reports contain technical details about each bug, but also proof-of-concept code that can be used to craft exploits.
While it is always a good idea to install security updates as soon as they become available, the availability of proof-of-concept code means users should install the iOS 12.4 release with no further delay.
Bugs worth well over $5 million
The bugs were discovered by Silvanovich and fellow Google Project Zero security researcher Samuel Groß.
Silvanovich will be holding a presentation about remote and interactionless iPhone vulnerabilities at the Black Hat security conference that will be held in Las Vegas next week.
“There have been rumors of remote vulnerabilities requiring no user interaction being used to attack the iPhone, but limited information is available about the technical aspects of these attacks on modern devices,” reads an abstract of Silvanovich’s talk.
“This presentation explores the remote, interaction-less attack surface of iOS. It discusses the potential for vulnerabilities in SMS, MMS, Visual Voicemail, iMessage and Mail, and explains how to set up tooling to test these components. It also includes two examples of vulnerabilities discovered using these methods.”
Silvanovich’s talk is set to garner a lot of attention next week. Until today, no-user-interaction iOS bugs were usually found in the arsenal of exploit vendors and makers of legal intercept tools and surveillance software.
Such vulnerabilities, when sold on the black market, can bring a bug hunter well over $1 million, according to a price chart published by Zerodium. It wouldn’t be an exaggeration to say that Silvanovich just published details about exploits worth well over $5 million, and most likely valued at around $10 million.