iPhone/iPad Users: Update Immediately
Google says it has found half a dozen major security flaws in Apple's iPhone messaging system. A new iOS update fixes five of the problems, but Google says one remains unpatched.
The flaws were discovered by Google's Project Zero, a department that takes its name from the idea of "zero day" bugs. That's where would-be hackers become aware of a security issue before the relevant software developers are able to patch the bug. The zero day bugs are then exploited which often results in elevated privileged access levels given to a rogue program.
The problems are with iMessage, the instant messaging service available to iPhone and iPad users that lets them message other Apple users without any charges or using up SMS allowances. It's also possible to run iMessage on Mac computers, though portable devices are the biggest problem in this case.
Device Files Could Be Copied
Of the five flaws Google detailed, two stood out. One would allow a rogue message to access parts of the device's memory that should be off-limits. That in turn could allow an attacker to remotely copy files from the device without having to trick the user into clicking on a link or opening an attachment.
Another flaw would let the hacker remotely crash the device. The crash would be so severe that a reset wouldn't get it working again. Instead, the user would need to reboot into the recovery mode option and then restore the device, losing all data stored on it. (Source: sky.com)
One Bug Still Unpatched
Five of the bugs are fixed in iOS 12.4, released last week. Any iPhone or iPad users who haven't installed that update need to do so immediately. While Google hasn't gone into full technical detail, it's given enough information to attract the attention of hackers who will be targeting unpatched devices. (Source: bbc.co.uk)
A sixth bug was reported to Apple as well. Google says Apple included a patch for this bug in the update but it hasn't worked. Because of this, it plans to keep all information about this bug secret until Apple fixes it successfully, or 90 days after it originally told Apple about the problem, whichever comes first.
What's Your Opinion?
If you use Apple devices, do you keep them up to date at all times? How can security experts balance making people aware of the need to apply patches and tipping off potential hackers about bugs? Should tech firms co-operate more on security?
My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 30 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).
We are BBB Accredited
We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.
Comments
Google Project Zero
I’m certainly no expert, but it sure seems like these types of efforts from Google would cause as many problems as they solve. We know that none of the corporate tech giants are loyal allies of the consumer. I tend to look at all of them with a wary eye. That said, I like to make sure my iOS (and other) updates are done right away. There may be some justification for waiting until they are tested by others, but I would guess the risks are outweighed by the security benefits of prompt updating.