Google’s elite phone bug-hunting team has exposed six ‘interactionless’ security breaches in iPhones.
The flaws were patched in an update released by Apple last week but the hacks can still infiltrate phones running on the old operating system.
All the vulnerabilities, which required no user interaction, were responsibly reported to Apple by Samuel Groß and Natalie Silvanovich of Google Project Zero, which the company patched just last week with the release of the latest iOS 12.4 update.
The one omitted was because Apple’s iOS 12.4 patch didn’t completely resolve the flaw, according to Natalie Silvanovich, one of Google’s researchers.
Silvanovich says four of the six security bugs allow malicious code on iPhones with no user interaction needed.
Project Zero released findings and details of the flaws in a series of blog posts.
Apple has responded by releasing a new iOS patch which fixes five of the six bugs, with users urged to immediately install it.
Here below, you can find brief details, links to the security advisory, and PoC exploits for all four vulnerabilities:
- CVE-2019-8647 (RCE via iMessage) — This is a use-after-free vulnerability that resides in the Core Data framework of iOS that can cause arbitrary code execution due to insecure deserialization when NSArray initWithCoder method is used.
- CVE-2019-8662 (RCE via iMessage) — This flaw is also similar to the above use-after-free vulnerability and resides in the QuickLook component of iOS, which can also be triggered remotely via iMessage.
- CVE-2019-8660 (RCE via iMessage) — This is a memory corruption issue resides in Core Data framework and Siri component, which if exploited successfully, could allow remote attackers to cause unexpected application termination or arbitrary code execution.
- CVE-2019-8646 (File Read via iMessage) — This flaw, which also resides in the Siri and Core Data iOS components, could allow an attacker to read the content of files stored on iOS devices remotely without user interactions, as user mobile with no-sandbox.