iMessage bug could have allowed attackers to read data from any iPhone

Google’s Project Zero has unveiled details of a bug in Apple’s iMessage that lets attackers read data from an iPhone without any user interaction.

The bug is one of four revealed by Project Zero researcher Natalie Silvanovich that Apple patched last week. Named CVE-2019-8646, it is classified with high severity. It allows attackers to read data from an iPhone without any user interaction and could also allow writing to out-of-bounds memory. Silvanovich provided proof-of-concept code that leaks bytes of memory from the targeted phone and displays it on an attacker’s remote machine.

CVE-2019-8647, also a high severity bug, crashes the iPhone’s Springboard home screen manager with no user interaction. That bug, along with the high severity CVE-2019-8660, could allow arbitrary code execution. CVE-2019-8660 would be difficult to exploit in practice, though, she added.

CVE-2019-8624, also ranked moderate, allows an attacker to crash Springboard without any interaction.

There’s one bug that Silvanovich is holding back on because she doesn’t believe that Apple has patched it properly. That’s CVE-2019-8641, which affects the iPhone 5s and later, along with all iPads since the Air and all iPods since generation six. It involves an out-of-bounds read, which allows remote attackers to cause unexpected application termination or arbitrary code execution.

In the patches that it released last week, Apple said it had fixed this issue by improving its input validation. The patch didn’t work, according to Silvanovich:

@5aelo We are withholding CVE-2019-8641 until its deadline because the fix in the advisory did not resolve the vulnerability

—
Natalie Silvanovich (@natashenka) July 29, 2019

Even though that patch apparently didn’t stick, it’s still worthwhile checking to ensure that you’ve installed all the other iMessage patches (along with all the other patches that Apple dropped last week). To do that, tap the Settings icon, then select Software Update. If there’s a patch waiting to be installed, it will let you initiate it. To be safe, if you’re downloading the patch over a Wi-Fi network to save on your data plan, always use a trusted network rather than a public one.

Silvanovich discovered another bug earlier this year. Classed as moderate, CVE-2019-8573 and CVE-2019-8664 bricks the iPhone with a malformed message. It stops the phone displaying the UI and responding to input, and it survives a hard reset, rendering the phone unusable until the user reboots into recovery mode and does a restore, which deletes all their data. She disclosed that one in early July 2019 after Apple patched it in iOS 12.3.