Update to iOS 12.4 right away

Six severe vulnerabilities in iMessage that allow remote code execution and data stealing with no user interaction? Sounds like a good reason to update to iOS 12.4 as soon as possible.

Updating your iPhone’s or iPad’s operating system as soon as the new version comes out is always a good idea — almost every new version of iOS contains fixes for some bugs that have been found in previous ones. But this time it might be even more crucial: iOS 12.4 fixes severe vulnerabilities in iMessage that can be exploited without any user interaction.

The six critical vulnerabilities in iOS were found by Natalie Silvanovich and Samuel Groß, members of Google’s bug hunting team called Project Zero. What is known so far is that these bugs allow an attacker to run malicious code on victims iPhone or iPad with no user interaction needed. The only thing the attacker needs to do for this exploit to work is to send a malicious message to a victim’s phone.

While four of the uncovered vulnerabilities can be used for this “interaction-less” remote code execution, the other two allow an attacker to read files on the hacked device and to leak data from its memory.

All six combined, these bugs would make possible total “owning” of data stored on victims’ iPhone without user doing anything that can be considered as dangerous. What’s more, since there’re no antiviruses for iOS, it would be hard for a user even to spot malicious activity, not to mention preventing it.

Such bugs are very rare and precious for malefactors. For example, according to publicly available price chart by Zerodium, bugs of this level can cost up to $1,000,000 each. And, the more the merrier, they get even pricier when they come in such a set. With that said, ZDNet puts the possible price tag for this bunch within the range of $5 to $10 million.

Researchers are holding back specifics about one of the vulnerabilities, as in their opinion even iOS 12.4 doesn’t remediate this bug. As for the rest of the details on these bugs and proof of concept of how they can be exploited by attackers, Silvanovich and Groß are going to reveal them in a talk at the upcoming Black Hat USA security conference.

In any case, the best and most practical thing for each and every iOS user to do now is install iOS 12.4 right away. Do not hesitate with the next version of iOS, either; it will probably polish off the remaining issues related to these vulnerabilities.

  • To update iOS, go to Settings -> General -> Software Update and tap Download and Install.