The latest iOS update, version 12.4 is important given the many new features and fixes it brings along. However, another reason the update is extremely significant, and which has just come to the fore is that it contains some vital security fixes that plug some serious flaws with iOS.
Interestingly, the flaws were discovered and reported to Apple by members of Google’s Project Zero bug-hunting division. According to Natalie Silvanovich and Samuel Grob who first discovered the vulnerabilities, the bug could be transmitted to the victim’s iPhone in the form of an iMessage.
Further, the victim just had to open the message for the bug to take effect. This makes it classified as an interaction-less bug as there is no user interaction required for the bug to act. In all, six bugs were reported by the Project Zero members and have since been plugged by Apple, save for one – CVE-2019-8641, which Apple is yet to address fully.
Google has also revealed the technical details as well as the proof-of-concept codes for all the remaining three bugs – CVE-2019-8647, CVE-2019-8660, and CVE-2019-8662. Apple hasn’t stated when they are expected to plug the first bug effectively and entirely though let’s hope that happens with the next update itself. Till that happens, Google is holding on to the details of the bug classified as CVE-2019-8641 which isn’t being made public just yet.
With the remaining two bugs – CVE-2019-8624 and CVE-2019-8646 – those allow the hacker to have access to the victims iPhone remotely. This way the hacker can read files from the target iPhone’s memory again without requiring any interaction from the victim, which only adds to the lethality of the attack.
Apple acquires Intel’s 5G smartphone modem business for $1 billion
The Project Zero duo Natalie Silvanovich and Samuel Groß also stated the vulnerabilities they have come across are worth well over $5 million in the black market. Silvanovich meanwhile has stated he will be presenting a report on remote and interaction-less vulnerabilities with the iOS at the Black Hat security conference scheduled to be held in Las Vegas in the coming week.