Google Reveals Devastating iPhone Vulnerabilities – But Hides One Which The Company Hasn’t Fixed

By   ISBuzz Team
Writer , Information Security Buzz | Aug 01, 2019 04:49 am PST

It has been reported that Google’s team of security researchers have discovered six devastating flaws in Apple’s iMessage app, one of which they claim the company has not fixed. Five of the critical bugs which the team found in Apple’s instant messaging service iMessage have now been fixed. One of the flaws impacted both Macs and iPhones, but would cause iPhones to crash and become unusable even after being reset. Another of the flaws could allow an attacker to remotely access an Apple device and copy files off it without the owner even having to respond to a security prompt. These bugs were addressed in the iOS 12.4 release, but another of the bugs was not fixed in the most recent update.

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Tim Mackey
Tim Mackey , Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center)
August 1, 2019 1:38 pm

The flaw (CVE-2019-8641) identified by the Project Zero team at Google, but with details withheld, impacts the core of Apple’s operating environment known as Foundation. This low-level framework is responsible for things like network connections, task management, file operations and importantly notifications and error management. Whenever developing such low-level system services, engineers must ensure any changes in operations resulting from patches don’t destabilise the applications using the framework. This makes “getting it right” not just a case of addressing the problem, but also ensuring new ones aren’t created by the patch. It’s important to recognise that responsible disclosure practices at most organisations have the researcher confirming the proposed patch addresses the identified issue and this collaboration works for the benefit of all involved as it withholds details until adequate fixes can be created. The net result being that an application with a discovered security issue working through a responsible disclosure process is no less secure following discovery of the issue than it was prior to that event. It is only publication of details surrounding the issue which increases risks to the consumer as those details enable malicious actors to create their exploits and attack models.

Last edited 4 years ago by Tim Mackey

Recent Posts

Would love your thoughts, please comment.x