Tuesday, 30 July 2019

Google researchers find six security bugs worth 5 million in iOS

Two members of Project Zero, Google’s bug-hunting team, have found six bugs in iOS that could have led cyber attackers to compromise devices like iPhones and iPads. The duo published the details and demo proof-of-concept code for five of the six “interactionless” security bugs that made the OS vulnerable to hackers who could have exploited it via the iMessage client. If sold in the exploit market, these six bugs would have reportedly fetched over $5 million.

The bugs were discovered by Google Project Zero security researchers Natalie Silvanovich and Samuel Groß. ZDNet reports that all the six security flaws were patched on July 22 when Apple rolled out the iOS 12.4 update. As per Silvanovich, details about one of the "interactionless" vulnerabilities are kept private because the latest iOS update did not completely patch the bug. Silvanovich will be holding a presentation about these vulnerabilities at the Black Hat security conference in Las Vegas next week.

How the bugs could have compromised iOS security

The researcher said that out of the six vulnerabilities, four could have lead to the execution of malicious code on a remote iOS device, with no user interaction needed. To compromise the device, an attacker could have sent a malicious message to the victim's phone. In such cases, the code is executed once the user opens and views the received message. The fifth and sixth bugs could have allowed an attacker to extract data from the compromised device's memory and read files off the device remotely, this too, with no user interaction.

According to a price chart published by US-based information security company Zerodium, if these bugs were sold on the exploit market, they could have brought over $1 million each for every vulnerability. It means that the bugs which the researchers published are valued between $5 million and $10 million. Vulnerability research hub Crowdfense told ZDNet that since the exploits were “interactionless,” and the vulnerabilities worked on recent versions of iOS exploits, these could have been valued between $2 million and $4 million each, that is, the total value of the bugs is between $20 million and $24 million.



from Latest Technology News https://ift.tt/2YuHiXD

No comments:

Post a Comment