details and proof-of-concept exploits for 4 out of 5 security
vulnerabilities that could allow remote attackers to target Apple
iOS devices just by sending a maliciously-crafted message over
iMessage.
All the vulnerabilities, which required no user interaction,
were responsibly reported to Apple by Samuel Groß and Natalie
Silvanovich of Google Project Zero, which the company patched just
last week with the release of the latest iOS 12.4 update[1].
Four of these vulnerabilities are “interactionless”
use-after-free and memory corruption issues that could let remote
attackers achieve arbitrary code execution on affected iOS
devices.
However, researchers have yet released details and exploits for
three of these four critical RCE vulnerabilities and kept one
(CVE-2019-8641) private because the latest patch update did not
completely address this issue.
The fifth vulnerability (CVE-2019-8646), an out-of-bounds read,
can also be executed remotely by just sending a malformed message
via iMessage. But instead of code execution, this bug allows an
attacker to read the content of files stored on the victim’s iOS
device through leaked memory.
Here below, you can find brief details, links to the security
advisory, and PoC exploits for all four vulnerabilities:
- CVE-2019-8647[2]
(RCE via iMessage) — This is a use-after-free vulnerability that
resides in the Core Data framework of iOS that can cause arbitrary
code execution due to insecure deserialization when NSArray
initWithCoder method is used. - CVE-2019-8662[3]
(RCE via iMessage) — This flaw is also similar to the above
use-after-free vulnerability and resides in the QuickLook component
of iOS, which can also be triggered remotely via iMessage. - CVE-2019-8660[4]
(RCE via iMessage) — This is a memory corruption issue resides in
Core Data framework and Siri component, which if exploited
successfully, could allow remote attackers to cause unexpected
application termination or arbitrary code execution. - CVE-2019-8646[5]
(File Read via iMessage) — This flaw, which also resides in the
Siri and Core Data iOS components, could allow an attacker to read
the content of files stored on iOS devices remotely without user
interactions, as user mobile with no-sandbox.
Besides these 5 vulnerabilities, Silvanovich also last week
released details and a PoC exploit for another out-of-bounds read
vulnerability that also allows remote attackers to leak memory and
read files from a remote device.
The vulnerability, assigned as CVE-2019-8624,
resides in Digital Touch component of watchOS and affects Apple
Watch Series 1 and later. The issue has been patched by Apple this
month with the release of watchOS 5.3.
Since proof-of-concept exploits for all these six security
vulnerabilities are now available to the public, users are highly
recommended to upgrade their Apple devices to the latest version of
the software as soon as possible.
Besides security vulnerabilities, the long-awaited iOS 12.4
updates for iPhone, iPad, and iPod touch also came up with some new
features, including the ability to wirelessly transfer data and
migrate directly from an old iPhone to a new iPhone during
setup.
References
- ^
iOS 12.4 update
(support.apple.com) - ^
CVE-2019-8647
(bugs.chromium.org) - ^
CVE-2019-8662
(bugs.chromium.org) - ^
CVE-2019-8660
(bugs.chromium.org) - ^
CVE-2019-8646
(bugs.chromium.org) - ^
CVE-2019-8624
(bugs.chromium.org)
Read more http://feedproxy.google.com/~r/TheHackersNews/~3/hXftEEJbH8I/apple-ios-vulnerabilities.html