Google’s cybersecurity researchers have finally disclosed details and proof-of-concept exploits for 4 out of 5 security vulnerabilities that could allow remote attackers to target Apple iOS devices just by sending a maliciously-crafted message over iMessage.
All the vulnerabilities, which required no user interaction, were responsibly reported to Apple by Samuel Groß and Natalie Silvanovich of Google Project Zero, which the company patched just last week with the release of the latest iOS 12.4 update.
Four of these vulnerabilities are “interactionless” use-after-free and memory corruption issues that could let remote attackers achieve arbitrary code execution on affected iOS devices.
However, researchers have yet released details and exploits for three of these four critical RCE vulnerabilities and kept one (CVE-2019-8641) private because the latest patch update did not completely address this issue.
The fifth vulnerability (CVE-2019-8646), an out-of-bounds read, can also be executed remotely by just sending a malformed message via iMessage. But instead of code execution, this bug allows an attacker to read the content of files stored on the victim’s iOS device through leaked memory.
Here below, you can find brief details, links to the security advisory, and PoC exploits for all four vulnerabilities:
- CVE-2019-8647 (RCE via iMessage) — This is a use-after-free vulnerability that resides in the Core Data framework of iOS that can cause arbitrary code execution due to insecure deserialization when NSArray initWithCoder method is used.
- CVE-2019-8662 (RCE via iMessage) — This flaw is also similar to the above use-after-free vulnerability and resides in the QuickLook component of iOS, which can also be triggered remotely via iMessage.
- CVE-2019-8660 (RCE via iMessage) — This is a memory corruption issue resides in Core Data framework and Siri component, which if exploited successfully, could allow remote attackers to cause unexpected application termination or arbitrary code execution.
- CVE-2019-8646 (File Read via iMessage) — This flaw, which also resides in the Siri and Core Data iOS components, could allow an attacker to read the content of files stored on iOS devices remotely without user interactions, as user mobile with no-sandbox.
Besides these 5 vulnerabilities, Silvanovich also last week released details and a PoC exploit for another out-of-bounds read vulnerability that also allows remote attackers to leak memory and read files from a remote device.
The vulnerability, assigned as CVE-2019-8624, resides in Digital Touch component of watchOS and affects Apple Watch Series 1 and later. The issue has been patched by Apple this month with the release of watchOS 5.3.
Since proof-of-concept exploits for all these six security vulnerabilities are now available to the public, users are highly recommended to upgrade their Apple devices to the latest version of the software as soon as possible.
Besides security vulnerabilities, the long-awaited iOS 12.4 updates for iPhone, iPad, and iPod touch also came up with some new features, including the ability to wirelessly transfer data and migrate directly from an old iPhone to a new iPhone during setup.