Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Google details five patched iMessage security bugs, one remains unpatched

Last updated

Researchers from Google's 'Project Zero' have disclosed five of six security bugs within iOS that could have allowed an attacker to affect a target user's device via iMessage, issues that Apple has patched in its recent iOS 12.4 update.

In early July, Google Project Zero released details of an iMessage bug that could effectively brick an iPhone and force users to wipe and restore their devices, one that was patched in iOS 12.3. The team have since revealed a number of other bugs that also affect iMessage, but with different results.

The six bugs are described as "interactionless," reports ZDNet, in that all a user has to do is to open and view the contents of a malformed message. In the case of four of the bugs, the message could allow for malicious code to be run on a target device, while two others can enable an attacker to leak data from memory and to read files from the remote device.

Under Google Project Zero's operating procedure, the team publicly discloses bugs 90 days of their discovery, giving developers an opportunity to fix the issue in a software update, or after it has been determined a patch has been successfully applied. Apple's iOS 12.4 update includes patches that fixes five of the six bugs, but the sixth has been held back from being publicized as it was not completely patched out.

The bugs were discovered by Natalie Silvanovich and Samuel Gross. The released bugs are identified as CVE-2019-8647, CVE-2019-8660, CVE-2019-8662, CVE-2019-8624, and CVE-2019-8646, while CVE-2019-8641 is currently withheld from view.

In each case, the researchers have provided technical details of how each bug functions, as well as proof-of-concept code that would work on pre-iOS 12.4 versions.

It has been estimated that, if they were to have been found privately and sold on the black market, each bug could have been worth in excess of $1 million, and in some cases, even as much as $4 million apiece.

Google's Project Zero is an effort by the search company to discover and alert software developers and device vendors of security issues in their products. Despite Google's association with Android, the project also examines other operating systems, including iOS, and has resulted in the discovery of issues in iOS' apps.

The team has also reported issues in macOS, including one where an insecure implementation of XNU's copy-on-write behavior allowing data to be written to an on-disk file without the virtual management subsystem being aware of changes, something considered by the team to be a "high severity" risk at the time.

Silvanovich will be presenting details of the findings at the Black Hat security conference next week, in a presentation about remote and interationless iPhone vulnerabilities. The talk will apparently discuss the "potential for vulnerabilities in SMS, MMS, Visual Voicemail, iMessage, and Mail," and explains how to set up tooling to test the components.



7 Comments

🎅
cornchip 11 Years · 1943 comments

I'm not that knowledgeable in OS code engineering, but I understand it at a basic level so I get that it's possible, yet on another level, I don't get why this kind of stuff should be allowed to happen. Seems like anything out of the ordinary should just automatically be shut down. Which I guess the OS architects have made every attempt to ensure, and is what the hackers are constantly attempting to circumvent. So I guess this stuff will just always happen. At least in my lifetime.

☕️
bobroo 10 Years · 96 comments

As with every Apple update; it's never a question of what is being corrected or made better, the question is what is Apple taking away? 

🎁
andrewj5790 9 Years · 296 comments

bobroo said:
As with every Apple update; it's never a question of what is being corrected or made better, the question is what is Apple taking away? 

This doesn’t even make sense. Gibberish.

🕯️
auxio 19 Years · 2766 comments

cornchip said:
I'm not that knowledgeable in OS code engineering, but I understand it at a basic level so I get that it's possible, yet on another level, I don't get why this kind of stuff should be allowed to happen. Seems like anything out of the ordinary should just automatically be shut down. Which I guess the OS architects have made every attempt to ensure, and is what the hackers are constantly attempting to circumvent. So I guess this stuff will just always happen. At least in my lifetime.

The tricky part with iMessage is that they need to allow all sorts of things to be put into messages: text, emoji, images, videos, etc.  Which allows for many different avenues of attack using things which look like legitimate messages, but are really executable code in disguise.

🎅
dysamoria 12 Years · 3430 comments

auxio said:
cornchip said:
I'm not that knowledgeable in OS code engineering, but I understand it at a basic level so I get that it's possible, yet on another level, I don't get why this kind of stuff should be allowed to happen. Seems like anything out of the ordinary should just automatically be shut down. Which I guess the OS architects have made every attempt to ensure, and is what the hackers are constantly attempting to circumvent. So I guess this stuff will just always happen. At least in my lifetime.
The tricky part with iMessage is that they need to allow all sorts of things to be put into messages: text, emoji, images, videos, etc.  Which allows for many different avenues of attack using things which look like legitimate messages, but are really executable code in disguise.

But why are our CPUs executing that errant code? A CPU has no mechanism to separate executable code that was initiated with intent from that which was passed through an overflow, etc?