Over 90 percent of Apple iPhone users — consumer and enterprise — are still vulnerable to bugs in iOS that can be remotely exploited without any user interaction via the iMessage client. These could reveal pictures, videos, notes, PDFs and so on stored on the phone.

Though Apple has fully patched five of six critical flaws revealed earlier this week by Google’s Project Zero with the 12.4 iOS update, as of August 1 only 9.6 percent of enterprise devices have been updated, according to Dan Cuddeford, senior director of systems engineering at Wandera.

As Threatpost previously reported, the most severe of the bugs are CVE-2019-8624 and CVE-2019-8646, which allow an attacker to read files off an iOS device remotely, without any interaction from the victim.

“The exploit initiates a dump of the victim’s iMessage database and compromises the iOS sandbox, putting files on the device at risk,” explained Cuddeford, in a post on Thursday. “This vulnerability calls into question the integrity of iOS sandboxing, which is one of the most significant fundamentals of the entire iOS security model. This iMessage exploit has similar implications to a jailbreak in that the weakness in iMessage exposes the file space on the device.”

The code to exploit these vulnerabilities is publicly available, he added, so anyone with a MacOS device and the phone number or iMessage account details of a victim could attack and spy on a target: “[This] is very easy for any bad actors to execute. Unlike the recent WhatsApp vulnerability, anyone with intermediate to advanced computing skills can use this code to hack any iPhone which hasn’t been updated.”

Wandera testing of the exploit showed that results varied depending on the state of the victim’s device. However, “for a persistent, malicious actor who knows the iOS file system well, and knows what they’re looking for, it is likely they could gain access to sensitive files outside of iMessage due to the sandbox compromise,” Cuddeford said.

The patch for iOS was released on July 22, but user notifications haven’t rolled out; iPhone owners need to manually visit the “software update” section in the settings area and initiate the download.

“According to the data in our network of enterprise devices, only 9.6 percent of devices have been updated to iOS 12.4, as of August 1 – 10 days after the patch was released on July 22 and three days after the vulnerability was disclosed to the public on July 29,” Cuddeford said.

Google Project Zero plans to discuss its iMessage bug findings further next week at Black Hat 2019, taking place Aug. 7 and 8 in Las Vegas. Be sure to follow all Black Hat and DEF CON 27 coverage right here at Threatpost.