Google security researchers have discovered a total of six vulnerabilities in Apple’s iOS software, one of which the iPhone manufacturer has yet to successfully patch. ZDNet reports that the flaws were discovered by two Google Project Zero researchers, Natalie Silvanovich and Samuel Groß, and five of them were patched with last week’s iOS 12.4 update, which contained several security fixes.
All of the vulnerabilities discovered by the researchers are “interactionless,” meaning they can be run without any interaction from a user, and they exploit a vulnerability in the iMessage client. Four of them (including the as-yet-unpatched vulnerability) rely on an attacker sending a message containing malicious code to an unpatched phone and can execute as soon as a user opens the message. The remaining two rely on a memory exploit.
Details of the five patched bugs have been published online, but the final remaining bug will remain confidential until it can be addressed by Apple. Regardless, if you haven’t updated your iPhone to iOS 12.4, now might be a good time. Silvanovich will host a talk on interactionless iPhone attacks at next week’s Black Hat security conference in Las Vegas.
We’re lucky that these vulnerabilities were discovered by security researchers who had no interest in exploiting them for their own benefit. ZDNet notes that bugs like these are invaluable to manufacturers of intercept tools and surveillance software, and the right buyer would likely pay millions for access to them before Apple is able to patch its software in defense. In disclosing these bugs to Apple, these security researchers have done a service to iOS users worldwide.