Google Reveals Devastating iPhone Vulnerabilities – But Hides One Which The Company Hasn’t Fixed

It has been reported that Google’s team of security researchers have discovered six devastating flaws in Apple’s iMessage app, one of which they claim the company has not fixed. Five of the critical bugs which the team found in Apple’s instant messaging service iMessage have now been fixed. One of the flaws impacted both Macs and iPhones, but would cause iPhones to crash and become unusable even after being reset. Another of the flaws could allow an attacker to remotely access an Apple device and copy files off it without the owner even having to respond to a security prompt. These bugs were addressed in the iOS 12.4 release, but another of the bugs was not fixed in the most recent update.

Experts Comments

August 01, 2019
Tim Mackey
Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center)
Synopsys
The flaw (CVE-2019-8641) identified by the Project Zero team at Google, but with details withheld, impacts the core of Apple’s operating environment known as Foundation. This low-level framework is responsible for things like network connections, task management, file operations and importantly notifications and error management. Whenever developing such low-level system services, engineers must ensure any changes in operations resulting from patches don’t destabilise the applications using .....Read More
The flaw (CVE-2019-8641) identified by the Project Zero team at Google, but with details withheld, impacts the core of Apple’s operating environment known as Foundation. This low-level framework is responsible for things like network connections, task management, file operations and importantly notifications and error management. Whenever developing such low-level system services, engineers must ensure any changes in operations resulting from patches don’t destabilise the applications using the framework. This makes “getting it right” not just a case of addressing the problem, but also ensuring new ones aren’t created by the patch. It’s important to recognise that responsible disclosure practices at most organisations have the researcher confirming the proposed patch addresses the identified issue and this collaboration works for the benefit of all involved as it withholds details until adequate fixes can be created. The net result being that an application with a discovered security issue working through a responsible disclosure process is no less secure following discovery of the issue than it was prior to that event. It is only publication of details surrounding the issue which increases risks to the consumer as those details enable malicious actors to create their exploits and attack models.  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.