Google Project Zero researchers Natalie Silvanovich and Samuel Groß have discovered six vulnerabilities in iOS one of which Apple is yet to patch successfully. The researchers are part of Google’s elite bug hunting program that often finds such exploits in other services and informs the relevant companies so that they can be patched before some bad actors exploit them.
Five of the six iOS vulnerabilities that were discovered by these researchers were patched with the iOS 12.4 update that Apple sent out last week. It did bring security fixes for compatible devices and these patches were included in it. All of the six vulnerabilities that the two discovered are “interactionless,” which means that they can run without requiring any interaction from the user.
This is done by exploiting a vulnerability in the iMessage client. Four of them, which includes the one that’s still not patched, needs an attacker to send a message with malicious code to an unpatched device. It can then execute as soon as the message is opened by the user. The other two vulnerabilities use a memory exploit.
The security researchers have posted the details of the five bugs that have been patched by Apple. They will not reveal the details of the bug that still remains unpatched until Apple rolls out a fix.