{"id":13792,"date":"2019-07-30T10:16:37","date_gmt":"2019-07-30T14:16:37","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/ios-critical-vulnerabilities-124\/13792\/"},"modified":"2019-11-15T15:22:03","modified_gmt":"2019-11-15T11:22:03","slug":"ios-critical-vulnerabilities-124","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/ios-critical-vulnerabilities-124\/13792\/","title":{"rendered":"Update to iOS 12.4 right away"},"content":{"rendered":"

Updating your iPhone\u2019s or iPad\u2019s operating system as soon as the new version comes out is always a good idea \u2014 almost every new version of iOS contains fixes for some bugs that have been found in previous ones. But this time it might be even more crucial: iOS 12.4 fixes severe vulnerabilities in iMessage that can be exploited without any user interaction.<\/p>\n

The six critical vulnerabilities in iOS were found by Natalie Silvanovich<\/a> and Samuel Gro\u00df<\/a>, members of Google\u2019s bug hunting team called Project Zero. What is known so far is that these bugs allow an attacker to run malicious code on victims iPhone or iPad with no user interaction needed. The only thing the attacker needs to do for this exploit to work is to send a malicious message to a victim\u2019s phone.<\/p>\n

While four of the uncovered vulnerabilities can be used for this \u201cinteraction-less\u201d remote code execution, the other two allow an attacker to read files on the hacked device and to leak data from its memory.<\/p>\n

All six combined, these bugs would make possible total \u201cowning\u201d of data stored on victims\u2019 iPhone without user doing anything that can be considered as dangerous. What\u2019s more, since there\u2019re no antiviruses for iOS<\/a>, it would be hard for a user even to spot malicious activity, not to mention preventing it.<\/p>\n

Such bugs are very rear and precious for malefactors. For example, according to publicly available price chart by Zerodium, bugs of this level can cost up to $1,000,000 each<\/em>. And, the more the merrier, they get even pricier when they come in such a set. With that said, ZDNet puts the possible price tag<\/a> for this bunch within the range of $5 to $10 million.<\/p>\n

Researchers are holding back specifics about one of the vulnerabilities, as in their opinion even iOS 12.4 doesn\u2019t remediate this bug. As for the rest of the details on these bugs and proof of concept of how they can be exploited by attackers, Silvanovich and Gro\u00df are going to reveal them in a talk<\/a> at the upcoming Black Hat USA security conference.<\/p>\n

In any case, the best and most practical thing for each and every iOS user to do now is install iOS 12.4 right away. Do not hesitate with the next version of iOS, either; it will probably polish off the remaining issues related to these vulnerabilities.<\/p>\n