According to the Two members of Project Zero, four of the six security bugs can lead to the execution of malicious code on a remote iOS device, with no user interaction needed in the new iMessage exploit reported by google zero-day. All an attacker needs to do is to send a malformed message to a victim’s phone, and the malicious code will execute once the user opens and views the received item. In total there are six serious zero-day vulnerabilities found in iOS but and not yet all fixed.
iMessage: memory corruption when decoding NSKnownKeysDictionary1
The bugs were discovered by Silvanovich and the Google Project Zero security researcher Samuel Groß. Since April Zero project reported four bugs, CVE-2019-8641 (details kept private), CVE-2019-8647, CVE-2019-8660, and CVE-2019-8662. The linked bug reports contain technical details about each bug, but also proof-of-concept code that can be used to craft an exploit.
Apple patches new flaws reportedly exploited in zero-day attacks
Apple updated iOS12.4 with the new security updates for iOS and macOS Mojave, repairing this vulnerability, including others the ones that a Google researcher says were used in the wild as zero days.
This bug is subject to a 90-day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug. the report will become visible to the public.
According to Zerodium, such vulnerabilities, when traded on the black market, can bring a bug hunter well over $1 million. It wouldn’t be an overestimation to say that Silvanovich just announced details about exploits worth well over $5 million, and most likely valued at nearly $10 million.
Also, the team Pangu reported a new facetime exploit that may Impact: A remote attacker may be able to cause arbitrary code execution. A memory corruption issue was addressed with improved input validation.
Tip: Update your iPhones. Don’t wait for new emojis until this Fall. iOS 12.4 fixes remote code execution (FaceTime and iMessage) and code exec in WebKit/Safari. Is it even responsible not to introduce new emojis with every update also increment security.