Project Zero Team Reveal Exploits for 'Interactionless' iOS Attacks

The details and demo exploit code for five of six 'interactionless' vulnerabilities, which impact the iOS operating system and can be exploited via the iMessage client, have been published by Google's Project Zero team.

ZDNet reports that Natalie Silvanovich, one of the two Google Project Zero researchers behind the discovery, stated that "four of the six security bugs - CVE-2019-8641 (details kept private), CVE-2019-8647, CVE-2019-8660, and CVE-2019-8662 - can lead to the execution of malicious code on a remote iOS device, with no user interaction needed. All an attacker needs to do is to send a malformed message to a victim's phone, and the malicious code will execute once the user opens and views the received item."

The fifth and sixth bugs - CVE-2019-8624 and CVE-2019-8646 - can "allow an attacker to leak data from a device's memory and read files off a remote device, also with no user interaction."

All six security flaws were patched in Apple's iOS 12.4 release on July 22. The details of CVE-2019-8641 were kept private because Apple's iOS 12.4 patch did not completely resolve the bug.

If you want to stay informed about vulnerabilities, subscribe to SecAlerts and receive a free weekly report of CVEs and security news relating to your stack.

. . .

If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.