Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Google details five patched iMessage security bugs, one remains unpatched

Last updated

Researchers from Google's 'Project Zero' have disclosed five of six security bugs within iOS that could have allowed an attacker to affect a target user's device via iMessage, issues that Apple has patched in its recent iOS 12.4 update.

In early July, Google Project Zero released details of an iMessage bug that could effectively brick an iPhone and force users to wipe and restore their devices, one that was patched in iOS 12.3. The team have since revealed a number of other bugs that also affect iMessage, but with different results.

The six bugs are described as "interactionless," reports ZDNet, in that all a user has to do is to open and view the contents of a malformed message. In the case of four of the bugs, the message could allow for malicious code to be run on a target device, while two others can enable an attacker to leak data from memory and to read files from the remote device.

Under Google Project Zero's operating procedure, the team publicly discloses bugs 90 days of their discovery, giving developers an opportunity to fix the issue in a software update, or after it has been determined a patch has been successfully applied. Apple's iOS 12.4 update includes patches that fixes five of the six bugs, but the sixth has been held back from being publicized as it was not completely patched out.

The bugs were discovered by Natalie Silvanovich and Samuel Gross. The released bugs are identified as CVE-2019-8647, CVE-2019-8660, CVE-2019-8662, CVE-2019-8624, and CVE-2019-8646, while CVE-2019-8641 is currently withheld from view.

In each case, the researchers have provided technical details of how each bug functions, as well as proof-of-concept code that would work on pre-iOS 12.4 versions.

It has been estimated that, if they were to have been found privately and sold on the black market, each bug could have been worth in excess of $1 million, and in some cases, even as much as $4 million apiece.

Google's Project Zero is an effort by the search company to discover and alert software developers and device vendors of security issues in their products. Despite Google's association with Android, the project also examines other operating systems, including iOS, and has resulted in the discovery of issues in iOS' apps.

The team has also reported issues in macOS, including one where an insecure implementation of XNU's copy-on-write behavior allowing data to be written to an on-disk file without the virtual management subsystem being aware of changes, something considered by the team to be a "high severity" risk at the time.

Silvanovich will be presenting details of the findings at the Black Hat security conference next week, in a presentation about remote and interationless iPhone vulnerabilities. The talk will apparently discuss the "potential for vulnerabilities in SMS, MMS, Visual Voicemail, iMessage, and Mail," and explains how to set up tooling to test the components.