Google Researchers Publish Technical Details of Critical iMessage Vulnerability

Google Project Zero security researchers have published technical details on the critical iMessage vulnerability that was addressed last year.


About the iMessage vulnerability


Tracked as CVE-2019-8641, the vulnerability is considered ‘critical’ and has a CVSS score of 9.8. The vulnerability only affects the devices that are running iOS 12 or later versions. It could be exploited by a remote attacker to cause unexpected application termination or arbitrary code execution.

Giving further details on the exploitation process, Groß, one of the security researchers, say that the flaw can allow an attacker who knows the user’s Apple ID (mobile phone number or email address) to gain control over an iOS device within a few minutes.

This would further allow the attackers to exfiltrate files, passwords, authentication codes, emails, SMS messages, and other data. Moreover, they could spy on the user using the device’s microphone and camera, all without user interaction or visual indicator. A proof-of-concept exploit targeting iPhone XS running iOS 12.4 is available on the Project Zero issue 1917 discussion board.


Mitigation


Apple has addressed the vulnerability with the release of iOS 12.4.2 for iPhone 5S, iPhone 6, iPhone 6 Plus, iPad Air, iPad Mini 2, iPad Mini 3, and iPod Touch 6th generation. The vulnerability has also been patched in macOS Mojave 10.14.6, watchOS 5.3.2, and tvOS 12.4.