Security News > 2020 > January > Google Researchers Detail Critical iMessage Vulnerability
Google Project Zero security researchers have published technical details on an iMessage vulnerability addressed last year, which could be exploited remotely to achieve arbitrary code execution.
Tracked as CVE-2019-8641, the vulnerability is considered Critical, featuring a CVSS score of 9.8, and was discovered by Google Project Zero security researchers Samuel Groß and Natalie Silvanovich.
The remote attack surface includes the iMessage data format and the NSKeyedUnarchiver API, which can be triggered both sandboxed and unsandboxed.
To address the flaw, Apple first made the vulnerable code unreachable over iMessage, but then fully addressed the vulnerability in subsequent updates.
In a talk a SecurityWeek's 2019 CISO Forum, Presented by Intel, Silvanovich discussed Project Zero's research into iMessage and their research methodology, along with what there is to learn from vulnerabilities in commonly-used software.
News URL
Related news
- Critical SailPoint IdentityIQ Vulnerability Exposes Files to Unauthorized Access (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) (source)
- Critical OpenWrt Vulnerability Exposes Devices to Malicious Firmware Injection (source)
- BeyondTrust Issues Urgent Patch for Critical Vulnerability in PRA and RS Products (source)
- BeyondTrust fixes critical vulnerability in remote access, support solutions (CVE-2024-12356) (source)
- Hackers Exploiting Critical Fortinet EMS Vulnerability to Deploy Remote Access Tools (source)
- Critical SQL Injection Vulnerability in Apache Traffic Control Rated 9.9 CVSS — Patch Now (source)
- Researchers Uncover Nuclei Vulnerability Enabling Signature Bypass and Code Execution (source)
- Google Project Zero Researcher Uncovers Zero-Click Exploit Targeting Samsung Devices (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-12-18 | CVE-2019-8641 | Out-of-bounds Read vulnerability in Apple products An out-of-bounds read was addressed with improved input validation. | 9.8 |