Google researchers disclose six iOS vulnerabilities that are estimated to be over 500 million yen
by
Project Zero , a zero-day attack research and development team within Google, has discovered several bugs on iOS, Apple's mobile operating system. With this bug, malicious code can be executed via the iMessage app without user interaction. The six security bugs discovered by Project Zero have all been fixed in iOS 12.4 , which became available on July 23, 2019.
Google researchers disclose vulnerabilities for 'interactionless' iOS attacks | ZDNet
https://www.zdnet.com/article/google-researchers-disclose-vulnerabilities-for-interactionless-ios-attacks/
Google Researchers Close PoCs for 4 Remotely Exploitable iOS Flaws
https://thehackernews.com/2019/07/apple-ios-vulnerabilities.html
Natalie, one of Project Zero's members, reported on six vulnerabilities that could allow malicious code to execute and steal data without user interaction on iOS.・ Silvanovich. The details of one of the six vulnerabilities remain private at the time of writing.
Of the six security bugs, four are capable of remotely executing malicious code on an iOS device, requiring no user interaction to execute the code. All the attacker needs to do is send a malicious message to the target terminal, and the user will open the message and the malicious code will be executed automatically.
The four bugs reported by Project Zero are 'CVE-2019-8641' (details not shown), ' CVE-2019-8647 ', ' CVE-2019-8660 ' and ' CVE-2019-8662 '. The link includes not only technical details about the bug, but also proof-of-concept code for creating an exploit with the bug.
The remaining security bugs discovered by Project Zero are ' CVE-2019-8624 ' and ' CVE-2019-8646 '. These bugs allow an attacker to leak data from the target terminal's memory without user interaction and read those data from the remote terminal.
by Hardik Sharma
Mr. security of Shirubano Bitch and his colleagues have found a bug SamuelGroß, the security conference to be held in the United States in Las Vegas ' Black Hat USA 2019 in', the bug of detailed presentation will be. The summary of the presentation said, 'There was a rumor that there was a (non-interactive) remote vulnerability that does not require user interaction to attack the iPhone, but the technical aspects of these types of attacks are It is described that the aspect is very limited, and it seems that some details of the recent 'Vulnerabilities that can execute malicious code without specific operation by the user' will be revealed. .
When Sylvanovich announced the vulnerability, he claimed that the six vulnerabilities were 'worth $ 5 million (more than $ 540 million if sold)'. Based on the price list of ZERODIUM , which purchases vulnerabilities, the six vulnerabilities discovered this time may cost well over $ 1 million (about 110 million yen) each. In addition, when the technology media ZDNet inquires against Crowdfense that handles exploits, if it is an iOS exploit that operates without user clicks, it takes about $ 2 to $ 4 million (approximately It was said that there was an answer that it might be traded at around 220 million to about 430 million yen). As a result, ZDNet points out that Mr. Silvanovitch's '$ 5 million' rating is not an overvalued rating, and that if it is bad, it could be worth $ 10 million (approximately $ 1.1 billion).
In addition, ZDNet is also open to proof of concept code, so it is recommended to update to iOS 12.4 as soon as possible.
Related Posts: