It has been reported that Google’s team of security researchers have discovered six devastating flaws in Apple’s iMessage app, one of which they claim the company has not fixed. Five of the critical bugs which the team found in Apple’s instant messaging service iMessage have now been fixed. One of the flaws impacted both Macs and iPhones, but would cause iPhones to crash and become unusable even after being reset. Another of the flaws could allow an attacker to remotely access an Apple device and copy files off it without the owner even having to respond to a security prompt. These bugs were addressed in the iOS 12.4 release, but another of the bugs was not fixed in the most recent update.
The flaw (CVE-2019-8641) identified by the Project Zero team at Google, but with details withheld, impacts the core of Apple’s operating environment known as Foundation. This low-level framework is responsible for things like network connections, task management, file operations and importantly notifications and error management. Whenever developing such low-level system services, engineers must ensure any changes in operations resulting from patches don’t destabilise the applications using the framework. This makes “getting it right” not just a case of addressing the problem, but also ensuring new ones aren’t created by the patch. It’s important to recognise that responsible disclosure practices at most organisations have the researcher confirming the proposed patch addresses the identified issue and this collaboration works for the benefit of all involved as it withholds details until adequate fixes can be created. The net result being that an application with a discovered security issue working through a responsible disclosure process is no less secure following discovery of the issue than it was prior to that event. It is only publication of details surrounding the issue which increases risks to the consumer as those details enable malicious actors to create their exploits and attack models.