In recent years, Google's Project Zero team has helped discover security vulnerabilities in the company's own products, as well as those developed by other tech giants. Earlier this year, it revealed a high severity flaw in the MacOS kernel, after Apple did not fix the issue within the allotted 90-day period.
Now, two members of the team, Natalie Silvanovich and Samuel Groß have disclosed details regarding four of five "interactionless" security issues in iOS. These were discovered at some point in the past three months, and were patched by Apple last week.
Today, @5aelo and I unrestricted five bugs in iMessage! Here are some highlights:— Natalie Silvanovich (@natashenka) July 29, 2019
In a series of tweets, Silvanovich took to shortly describing each of the bugs, while also linking to technical details and proof-of-concept code that can be used to demonstrate how they work. However, information regarding one of these, CVE-2019-8641, is being kept private for now, since it hasn't been resolved by Apple yet, and Project Zero's deadline for the fix is yet to pass.
Without going into too much technical details, two of the others include CVE-2019-8647 and CVE-2019-8662 (currently inaccessible), both of which can remotely be executed via iMessage, causing the receiving device to crash without any user interaction. Then there's CVE-2019-8660, which allows attackers to remotely corrupt memory. And finally, potentially one of the most dangerous of the lot, CVE-2019-8646, can enable undesired access to local files. This is how the final issue has been described:
"The class _NSDataFileBackedFuture can be deserialized even if secure encoding is enabled. This class is a file-backed NSData object that loads a local file into memory when the [NSData bytes] selector is called. This presents two problems. First, it could potentially allow undesired access to local files if the code deserializing the buffer ever shares it (this is more likely to cause problems in components that use serialized objects to communicate locally than in iMessage). Second, it allows an NSData object to be created with a length that is different than the length of its byte array. This violates a very basic property that should always be true of NSData objects. This can allow out of bounds reads, and could also potentially lead to out-of-bounds writes, as it is now possible to create NSData objects with very large sizes that would not be possible if the buffer was backed."
Essentially, all five of these flaws could have been exploited without any user-end interaction required. The full list can be viewed here; interestingly, the first two in this list are not mentioned in the tweets, though their effects read more or less the same as the aforementioned CVE-2019-8647. Silvanovich also noted that she would further discuss these bugs at her upcoming Black Hat USA talk next month.
Apple rolled out fixes for four of five aforementioned vulnerabilities with the release of iOS 12.4 last week, and will probably be patching the final one in the coming days. Now that details regarding reproduction of the code have been made public, it is highly advised that iOS users update to the latest version without delay.