Researchers from Google project Zero disclosed critical bugs that reside in iMessages that allows attackers to read local files in iPhone without any form of user interaction.
Natalie Silvanovich, a security researcher from Google project zero reported 5 different vulnerabilities along with Samuel Groß, another member of her team.
The file read vulnerability can be tracked as CVE-2019-8646 and the researcher described this vulnerability as “The class _NSDataFileBackedFuture can be deserialized even if the secure encoding is enabled. This class is a file-backed NSData object that loads a local file into memory when the [NSData bytes] selector is called”
“This presents two problems. First, it could potentially allow undesired access to local files if the code deserializing the buffer ever shares it (this is more likely to cause problems in components that use serialized objects to communicate locally than in iMessage). Second, it allows an NSData object to be created with a length that is different than the length of its byte array. “
Natalie released a Proof of concept that works on devices with iOS 12 or later and its’s PoC shows leaking memory from a remote device.
Apple Patched this vulnerability in last security update that released on July 22 and the vulnerability affects iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later.
4 Other Vulnerabilities That Affected iMessage
CVE-2019-8660 – Interactionless memory corruption vulnerability allows an attacker to run arbitrary code remotely in iPhone 5s or later version and also it leads to a remote attacker may be able to cause unexpected application termination or arbitrary code execution.
CVE-2019-8647 – This Core Data interactionless use after free Remote code execution vulnerability allows Remote Attacker to compromise iMessage and crash Springboard with no user interaction in iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later
A use after free issue was addressed by Apple and improved memory management.
CVE-2019-8662 – Similar User-after-free vulnerability resides in the QuickLook component which is loaded into the Springboard process. As such, there might be scenarios in which OfficeImport library is loaded in Springboard, making this bug remotely triggerable via iMessage without any user interaction.
This vulnerability affects iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later.
CVE-2019-8641- It allows a remote attacker may be able to cause unexpected application termination or arbitrary code execution and the vulnerability PoC is holding until its deadline due to the fix in the advisory did not resolve the vulnerability.
Apple Fixed all the issues in iOS 12.4 released and you can see the Full list here.