Security News > 2020 > January > Google Researchers Detail Critical iMessage Vulnerability
Google Project Zero security researchers have published technical details on an iMessage vulnerability addressed last year, which could be exploited remotely to achieve arbitrary code execution.
Tracked as CVE-2019-8641, the vulnerability is considered Critical, featuring a CVSS score of 9.8, and was discovered by Google Project Zero security researchers Samuel Groß and Natalie Silvanovich.
The remote attack surface includes the iMessage data format and the NSKeyedUnarchiver API, which can be triggered both sandboxed and unsandboxed.
To address the flaw, Apple first made the vulnerable code unreachable over iMessage, but then fully addressed the vulnerability in subsequent updates.
In a talk a SecurityWeek's 2019 CISO Forum, Presented by Intel, Silvanovich discussed Project Zero's research into iMessage and their research methodology, along with what there is to learn from vulnerabilities in commonly-used software.
News URL
Related news
- Google Patches New Android Kernel Vulnerability Exploited in the Wild (source)
- Researchers Uncover 10 Flaws in Google's File Transfer Tool Quick Share (source)
- CISA Warns of Critical Jenkins Vulnerability Exploited in Ransomware Attacks (source)
- Microsoft Patches Critical Copilot Studio Vulnerability Exposing Sensitive Data (source)
- SonicWall Issues Critical Patch for Firewall Vulnerability Allowing Unauthorized Access (source)
- Critical Fortra FileCatalyst Workflow vulnerability patched (CVE-2024-6633) (source)
- Apache fixes critical OFBiz remote code execution vulnerability (source)
- Apache OFBiz team patches critical RCE vulnerability (CVE-2024-45195) (source)
- GitLab warns of critical pipeline execution vulnerability (source)
- SolarWinds Issues Patch for Critical ARM Vulnerability Enabling RCE Attacks (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2019-12-18 | CVE-2019-8641 | Out-of-bounds Read vulnerability in Apple products An out-of-bounds read was addressed with improved input validation. | 7.5 |