Apple still hasn’t patched an iOS flaw discovered by Google’s elite bug team despite rolling out update last week to correct other issues
- Researchers found six bugs with Apple’s iOS, one of which remains unpatched
- Four bugs target iMessage and allow attackers to send malicious code via texts
- Two bugs allow attackers to access internal memory and leak data
- Researchers will present their findings at an upcoming conference
A bug that can exploit a flaw in Apple’s iMessage remains unpatched by the company despite a round of fixes last week.
According to ZDNet, while five of six vulnerabilities discovered by researchers were mended by last week’s iOS 12.4 update, one flaw — which has not yet been detailed — remains ongoing.
The bugs, which were found by Google Project Zero researchers Natalie Silvanovich and Samuel Groß, are reportedly ‘interactionless,’ meaning they do not require user input to work. Many of the flaws affect iMessage.
Five of the bugs discovered by researchers were patched, but one undocumented flaw remains open.
As noted by The Verge, four of the flaws, including one that remains unpatched, target victims by sending malicious code in a text message. To attack users, all a victim has to do is open the message.
The other two patched bugs leveraged a flaw in iOS memory and allowed attackers to hoover data from the phone onto a remote device according to AppleInsider.
Apple’s iOS flaw will remain undisclosed until the bug has been fully patched according to ZDNet.
While the bugs were uncovered by security researchers whose purpose for probing software like Apple’s iOS is to improve their safety, AppleInsider reports that had the bugs been sold on the black market, each could fetch a price tag of $1 to $4 million.
Google’s Project Zero is behind the documentation of other high profile security flaws in the past, including a ‘high-severity’ bug reported earlier this year.
The flaw allowed hackers to exploit a flaw in Apple’s MacOS, giving them covert access to internal files.
Researchers behind the identification of the recent set of bugs plan to present findings at an upcoming BlackHat Security conference in Las Vegas next week.
‘There have been rumors of remote vulnerabilities requiring no user interaction being used to attack the iPhone, but limited information is available about the technical aspects of these attacks on modern devices,’ reads the presentation’s description.
‘This presentation explores the remote, interaction-less attack surface of iOS.’
