Google’s elite phone bug-hunting team has exposed six ‘interactionless’ security breaches in iPhones.
The flaws were patched in an update
released by Apple last week but the hacks can still infiltrate phones running
on the old operating system.
All the vulnerabilities, which required no
user interaction, were responsibly reported to Apple by Samuel Groß and Natalie
Silvanovich of Google Project Zero, which the company patched just last week
with the release of the latest iOS 12.4 update.
The one omitted was because Apple’s iOS
12.4 patch didn’t completely resolve the flaw, according to Natalie
Silvanovich, one of Google’s researchers.
Silvanovich says four of the six security
bugs allow malicious code on iPhones with no user interaction needed.
Project Zero released
findings and details of the flaws in a series of blog posts.
Apple has responded by releasing a new iOS patch which fixes five of the six bugs, with users urged to immediately install it.
Here below, you can find brief details, links to the security advisory, and PoC exploits for all four vulnerabilities:
- CVE-2019-8647 (RCE
via iMessage) — This is a use-after-free vulnerability that resides in the Core
Data framework of iOS that can cause arbitrary code execution due to insecure
deserialization when NSArray initWithCoder method is used.
- CVE-2019-8662 (RCE
via iMessage) — This flaw is also similar to the above use-after-free
vulnerability and resides in the QuickLook component of iOS, which can also be
triggered remotely via iMessage.
- CVE-2019-8660 (RCE
via iMessage) — This is a memory corruption issue resides in Core Data
framework and Siri component, which if exploited successfully, could allow
remote attackers to cause unexpected application termination or arbitrary code
execution.
- CVE-2019-8646 (File
Read via iMessage) — This flaw, which also resides in the Siri and Core Data
iOS components, could allow an attacker to read the content of files stored on
iOS devices remotely without user interactions, as user mobile with no-sandbox.
