Google’s Project Zero found six ‘interactionless’ iOS security vulnerabilities

If sold on the exploit market, these flaws could be worth as much as $31.5 million CAD

iPhone XS Max

Google’s bug-hunting team, Project Zero, is uncovering security flaws in Apple operating systems again, this time publishing details about five of six ‘interactionless’ vulnerabilities in iOS.

According to the documents, the flaws could allow a malicious actor to execute code on a remote iOS device through a “malformed” iMessage. The victim wouldn’t need to do anything special to allow the code to run — opening and viewing the message is enough.

Project Zero researchers Natalie Silvanovich and Samuel Groß uncovered the bugs and published technical details and proof-of-concept code that shows how someone could exploit the flaws.

The first four bugs, CVE-2019-8641, CVE-2019-8647, CVE-2019-8660 and CVE-2019-8662, all rely on iMessage to execute code. While Apple patched all four in the iOS 12.4 update, the researchers said the 8641 flaw is still unresolved. As such, Silvanovich chose not to publish details regarding that bug.

The fifth and sixth bugs, CVE-2019-8624 and CVE-2019-8646, allow attackers to leak data from the target device’s memory and remotely read files from a device. Again, both require no interaction from the victim.

If you haven’t already, now would be a great time to update to iOS 12.4 to protect yourself against these exploits.

Silvanovich will host a presentation about the vulnerabilities at the Black Hat security conference in Las Vegas next week, where it’s likely to garner a lot of attention.

According to ZDNet, ‘no-user-interaction’ iOS bugs like this typically can be found in the hands of exploit vendors and the makers of legal intercept tools and surveillance software. No-interaction bugs are highly sought-after, as they allow undetected access to a victim’s device.

Further, security flaws like this could sell for over $1 million USD (roughly $1.3 million CAD) on the exploit market, based on a price chart published by Zerodium. With that in mind, it’s safe to say Silvanovich published details on exploits totalling over $5 million USD (about

$6.5 million CAD) and likely worth as much as $10 million USD (approximately $13 million CAD).

Exploit vendor Crowdfense told ZDNet iOS flaws like these could be worth as much as $2 million to $4 million USD, for a total value upwards of $24 million USD (about $31.5 million CAD).

This is the first iMessage vulnerability discovered by Project Zero. The bug-hunters uncovered a vulnerability earlier this month. Google also found a severe macOS kernel vulnerability.

Source: Google Project Zero, (2), (3), (4), (5) Via: ZDNet