Apple has released bug fixes for five major iOS-related security issues that can be exploited through its iMessage client application last week after they were discovered by Project Zero researchers from Google's competitor, who revealed a feat, but a problem additional has not been totally solved in iOS. 2.4 update, according to the BBC.
All were remote and without interaction, which means that an attacker could exploit them without the owner of the targeted device doing anything. Among the resolved vulnerabilities, one was so severe that it could only be resolved by erasing one device with the loss of all the data, while another could be used to siphon data from a device, wrote the BBC. The sixth bug that has not been solved in iOS 2.4 and can still be exploited seems to be serious, wrote the BBC, but Project Zero's researcher Natalie Silvanovich tweeted that they held the details until the end of the bug fixing time:
Apple's own notes on iOS 12.4 indicate that the uncorrected vulnerability could give hackers a way to block an app or run their own commands on the latest iPhones, iPads and iPod Touch if they could find out.
Apple has not commented on this problem, but urged users to install the new version of iOS, which addresses other discoveries from Google, as well as a range of issues and threats.
"Keeping your software up-to-date is one of the most important things you can do to keep your Apple product safe," the release said.
According to ZDNet, it is possible that if Silvanovich and his colleague from Project Zero, Samuel Groß, had sold the five vulnerabilities without black market interaction or to an exploit provider, they would have easily earned at least one million dollars each, because it offers hackers the ability to infiltrate a target device without being detected. Crowdfense, an exploit provider, told the site that, requiring no clicks to launch an attack and affecting recent versions of iOS, they could have been worth between $ 2 and $ 4 million each, for a total of 20 to $ 24 million.
So it's lucky that Project Zero has discovered them rather than trying to profit from them. According to ZDNet, Silvanovich has planned a conference on iPhone vulnerabilities without remote interaction, at the Black Hat cyber security conference next week, with a summary of the speech stating that she "is talking about the potential for vulnerabilities in SMS, MMS, Visual Voicemail, iMessage, and Mail, and how to configure tools to test these components. "
The five resolved bugs are listed as CVE-2019-8624, CVE-2019-8646, CVE-2019-8647, CVE-2019-8660, and CVE-2019-8662.[BBC/ZDNet]