A total of six security flaws in Apple’s iOS software has been discovered by Google security researchers. Out of these, one is yet to be patched by the iPhone manufacturer. Two Google Project Zero researchers, Natalie Silvanovich and Samuel Groß, discovered these flaws in the iPhone software, according to the reports of ZDNet.
Five of these flaws were related to the last week’s iOS 12.4 update, which contained several security fixes. Researchers called all these discovered vulnerabilities as “interaction-less”. This means that all the flaws can be run without any interaction from a user. Moreover, they exploit a vulnerability in the iMessage client.
Four of the flaws out of these six vulnerabilities, depends on an attacker sending a message containing harmful code to an unpatched phone, these flaws can execute as soon as a user opens the message. The remaining two vulnerabilities are related to the memory exploit.
All the details of these five patched bugs have been published online. However, the final bug will remain confidential until it can be addressed by Apple. The list of the exploits can be checked out, for more details about the attacks and proof-of-concept documentation. These include, CVE-2019-8647, CVE-2019-8660, CVE-2019-8662, CVE-2019-8624, CVE-2019-8646. CVE-2019-8641 is still not fully disclosed. According to the chart by security firm Zerodium suggests five of the exploits are valued at $1 million each.
Moreover, if any user have not updated their iPhone to iOS 12.4, now may be it is a good time. At next week’s Black Hat security conference in Las Vegas, probably on August 7, a talk on interaction-less iPhone attacks will be hosted by Silvanovich. She will give explanation on some of the potential vulnerabilities in SMS, MMS, Visual Voicemail, iMessage, and Mail in this talk, that make these attacks possible in the first place.
However, we can say that it is the first time the Big G has found twists in Apple’s software. After Project Zero researchers unearthed two zero-day vulnerabilities in iOS, the iPhone-maker had to release a security patch back in February 2019.
Security researchers, who discovered these vulnerabilities obviously had no interest in exploiting these bugs for their own benefit, so iPhone users are quite lucky. Bugs like these are invaluable to manufacturers of intercept tools and surveillance software, according to the ZDNet. However, before Apple is able to patch its software in defense, the right buyer would likely pay millions for access to them.
These security researchers have obviously done a service to iOS users worldwide, by disclosing these bugs to Apple.