Google details five patched iMessage security bugs, one remains unpatched

Posted:
in iOS edited July 31
Researchers from Google's 'Project Zero' have disclosed five of six security bugs within iOS that could have allowed an attacker to affect a target user's device via iMessage, issues that Apple has patched in its recent iOS 12.4 update.




In early July, Google Project Zero released details of an iMessage bug that could effectively brick an iPhone and force users to wipe and restore their devices, one that was patched in iOS 12.3. The team have since revealed a number of other bugs that also affect iMessage, but with different results.

The six bugs are described as "interactionless," reports ZDNet, in that all a user has to do is to open and view the contents of a malformed message. In the case of four of the bugs, the message could allow for malicious code to be run on a target device, while two others can enable an attacker to leak data from memory and to read files from the remote device.

Under Google Project Zero's operating procedure, the team publicly discloses bugs 90 days of their discovery, giving developers an opportunity to fix the issue in a software update, or after it has been determined a patch has been successfully applied. Apple's iOS 12.4 update includes patches that fixes five of the six bugs, but the sixth has been held back from being publicized as it was not completely patched out.

The bugs were discovered by Natalie Silvanovich and Samuel Gross. The released bugs are identified as CVE-2019-8647, CVE-2019-8660, CVE-2019-8662, CVE-2019-8624, and CVE-2019-8646, while CVE-2019-8641 is currently withheld from view.

In each case, the researchers have provided technical details of how each bug functions, as well as proof-of-concept code that would work on pre-iOS 12.4 versions.

It has been estimated that, if they were to have been found privately and sold on the black market, each bug could have been worth in excess of $1 million, and in some cases, even as much as $4 million apiece.

Google's Project Zero is an effort by the search company to discover and alert software developers and device vendors of security issues in their products. Despite Google's association with Android, the project also examines other operating systems, including iOS, and has resulted in the discovery of issues in iOS' apps.

The team has also reported issues in macOS, including one where an insecure implementation of XNU's copy-on-write behavior allowing data to be written to an on-disk file without the virtual management subsystem being aware of changes, something considered by the team to be a "high severity" risk at the time.

Silvanovich will be presenting details of the findings at the Black Hat security conference next week, in a presentation about remote and interationless iPhone vulnerabilities. The talk will apparently discuss the "potential for vulnerabilities in SMS, MMS, Visual Voicemail, iMessage, and Mail," and explains how to set up tooling to test the components.

Comments

  • Reply 1 of 7
    cornchipcornchip Posts: 1,390member
    I'm not that knowledgeable in OS code engineering, but I understand it at a basic level so I get that it's possible, yet on another level, I don't get why this kind of stuff should be allowed to happen. Seems like anything out of the ordinary should just automatically be shut down. Which I guess the OS architects have made every attempt to ensure, and is what the hackers are constantly attempting to circumvent. So I guess this stuff will just always happen. At least in my lifetime.
    watto_cobra
  • Reply 2 of 7
    bobroobobroo Posts: 89member
    As with every Apple update; it's never a question of what is being corrected or made better, the question is what is Apple taking away? 
  • Reply 3 of 7
    bobroo said:
    As with every Apple update; it's never a question of what is being corrected or made better, the question is what is Apple taking away? 
    This doesn’t even make sense. Gibberish.
    Carnagejbdragon1STnTENDERBITSwatto_cobraRayz2016cornchipLordeHawk
  • Reply 4 of 7
    auxioauxio Posts: 2,007member
    cornchip said:
    I'm not that knowledgeable in OS code engineering, but I understand it at a basic level so I get that it's possible, yet on another level, I don't get why this kind of stuff should be allowed to happen. Seems like anything out of the ordinary should just automatically be shut down. Which I guess the OS architects have made every attempt to ensure, and is what the hackers are constantly attempting to circumvent. So I guess this stuff will just always happen. At least in my lifetime.
    The tricky part with iMessage is that they need to allow all sorts of things to be put into messages: text, emoji, images, videos, etc.  Which allows for many different avenues of attack using things which look like legitimate messages, but are really executable code in disguise.
    jbdragonmuthuk_vanalingamwatto_cobracornchip
  • Reply 5 of 7
    dysamoriadysamoria Posts: 2,283member
    auxio said:
    cornchip said:
    I'm not that knowledgeable in OS code engineering, but I understand it at a basic level so I get that it's possible, yet on another level, I don't get why this kind of stuff should be allowed to happen. Seems like anything out of the ordinary should just automatically be shut down. Which I guess the OS architects have made every attempt to ensure, and is what the hackers are constantly attempting to circumvent. So I guess this stuff will just always happen. At least in my lifetime.
    The tricky part with iMessage is that they need to allow all sorts of things to be put into messages: text, emoji, images, videos, etc.  Which allows for many different avenues of attack using things which look like legitimate messages, but are really executable code in disguise.
    But why are our CPUs executing that errant code? A CPU has no mechanism to separate executable code that was initiated with intent from that which was passed through an overflow, etc?
  • Reply 6 of 7
    SpamSandwichSpamSandwich Posts: 31,398member
    This is helpful and a nod of the head in respect to Google for trying to improve any part of iOS or Apple’s software.
    watto_cobracaladanianFileMakerFeller
  • Reply 7 of 7
    larryjwlarryjw Posts: 418member
    dysamoria said:
    auxio said:
    cornchip said:
    I'm not that knowledgeable in OS code engineering, but I understand it at a basic level so I get that it's possible, yet on another level, I don't get why this kind of stuff should be allowed to happen. Seems like anything out of the ordinary should just automatically be shut down. Which I guess the OS architects have made every attempt to ensure, and is what the hackers are constantly attempting to circumvent. So I guess this stuff will just always happen. At least in my lifetime.
    The tricky part with iMessage is that they need to allow all sorts of things to be put into messages: text, emoji, images, videos, etc.  Which allows for many different avenues of attack using things which look like legitimate messages, but are really executable code in disguise.
    But why are our CPUs executing that errant code? A CPU has no mechanism to separate executable code that was initiated with intent from that which was passed through an overflow, etc?
    There is no difference between executable code and data -- that is the nature of Von Neumann machines. Executable code is just data ... until something called an interpreter (for that data) looks at the data and treats it as commands to execute. Everything above the hardware level is just a sequence of 0's and 1's. Every interpreter will try to make sense of that sequence in its own way. Maybe that sequence represents a book, but it isn't unless the book interpreter is told to interpret it, and then that "book" is really executable code which the book interpreter "executes" to render on your device. 

    Of course, the interpreter is just data until another interpreter is told to interpret that data as a sequence of commands to execute. The CPU is just another interpreter, and because most CPU's are actually micro-coded, there is another interpreter within the CPU which executes the micro-code data and treat that data as commands. Things finally do happen because this recursion does terminate (it's not an infinite regress), but the number of levels of interpretation is quite large. 

    It's all illusion. 
    edited July 30 cornchipFileMakerFellerjony0
Sign In or Register to comment.