Members of Google’s Project Zero have discovered six flaws in iOS’s iMessage app. The big danger is that they allow an attacker to take control of a remote device without user action.
Two members of Google ‘s Project Zero, a team of security experts and bug hunters have unveiled six vulnerabilities in iOS, Apple’ s mobile operating system, which can be exploited via the iMessage application. The experts also released a demonstration for four of the bugs, and indicate that the six do not require any interaction on the part of the user.
Four of the vulnerabilities, named CVE-2019-8641, CVE-2019-8647, CVE-2019-8660, and CVE-2019-8662, allow remote code execution. A simple message sent to the victim’s iPhone containing a sequence of specific characters allows launching a code that gives the attacker access to the device without any interaction from the user.
An update already available
For the other two vulnerabilities, CVE-2019-8624 and CVE-2019-8646, sending a specially crafted message reads the contents of the device’s memory and thus steals files from the mobile of the victim. Again, no interaction is needed, since the iMessage application decodes a message part to display the notification, which is enough to trigger the flaw.
The experts had alerted Apple since the discovery of each fault. The firm has included a fix for the flaws in the iOS 12.4 update released on July 22. It is therefore imperative to make sure that your devices are up to date. The researchers checked the operation of the patch before making the details of the loopholes public. They have just revealed five flaws, but not the one named CVE-2019-8641 that is still unresolved.