Apple users are being warned that an iMessage security vulnerability has been discovered that could enable an attacker to read the files on their iPhones without having physical access to the device.
The iMessage vulnerability was uncovered by Google Project Zero researcher Natalie Silvanovich on May 17. Silvanovich, you may recall, is the same researcher who revealed the iMessage text attack that could brick an iPhone and survive hard resets earlier this month.
This new threat described in some technical length on the Project Zero bug tracker site, only impacts devices that are running iOS 12 or later.
Silvanovich disclosed the CVE-2019-8646 vulnerability to Apple in May, and in June she produced a proof-of-concept that showed how sending an iMessage to a targeted iPhone would display leaked bytes of memory from the SpringBoard application that manages the iOS home screen, in the output of the attacking server.
As with all Google Project Zero discoveries, the vendor is given 90 days to make a patch available. After this time, disclosure of the issue will be made public. In this case, Apple responded quickly and the issue was fixed in the iOS 12.4 update by “by preventing this class from being decoded unless it is explicitly added to the allow list,” according to the Project Zero disclosure, which continues “better filtering of the file URL was also implemented.”
Bleeping Computer reports that “the out-of-bounds read flaw was present in the Siri and Core Data iOS components,” adding that “it impacts all iPhone 5s or later, iPad Air or later, and iPod touch 6th generation or later devices.”
“The long standing rhetoric that Apple devices are secure is dead,” says Carl Gottlieb, data protection officer at Hudl and Duolingo, who continues “and it has been for a while.” Gottlieb went on to explain that Apple’s massive growth and dominance in Western markets has led to greater attention from researchers and attackers alike. “This iMessage issue is a good reminder that iOS devices can be vulnerable too,” he says, but adds that the good news is that Apple does at least release fixes promptly.
“Whether it be on an Apple device, Windows or any other form of computer,” Gottlieb concludes, “the boring security advice usually saves the day: Install the system updates ASAP and be extremely careful opening messages from anyone you don’t know.”