Cybersecurity researchers have found four new exploits that allow hackers to target Apple iOS devices just by sending a maliciously-crafted message over iMessage.
The really bad news is that all the vulnerabilities can be fully exploited with literally no user interaction.
All of the four vulnerabilities are memory corruption base and can be used to achieve arbitrary code execution on the targeted iOS devices.
One of the four critical RCE vulnerabilities (CVE-2019-8646), an out-of-bounds read, can also be used by a hacker to read the content of files stored on the victim’s iOS device through leaked memory.
Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;
Here are our brief details, security advisory, and PoC exploits for all four vulnerabilities:
- RCE CVE-2019-8647 via iMessage
This vulnerability resides in the Core Data framework of iOS; can be used to run arbitrary code due to insecure deserialization when NSArray initWithCoder method is used.
- RCE CVE-2019-8662 via iMessage
This flaw is also similar to the above one and resides in the QuickLook component of iOS.
- RCE CVE-2019-8660 via iMessage
This is a memory corruption issue present in the Core Data framework and Siri component, which if exploited successfully will cause unexpected application termination or arbitrary code execution.
- File Read CVE-2019-8646 via iMessage
This flaw, which also resides in the Siri and Core Data iOS components, if it is exploited will allow an attacker to read the content of files stored on iOS devices remotely without user interactions
The fifth vulnerability is CVE-2019-8624, it lays in Digital Touch component of watchOS and affects Apple Watch Series 1 and later.
Users are advised to upgrade their Apple devices to the latest version of the software as soon as possible, all of the above-presented CVEs have already been fixed by Apple in the lastest OS updates
We would continue to monitor the cybersecurity world. Meanwhile, users should keep a keen eye out for any cyber-attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.