Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Google Bug Communications Security Apple Technology

Google Reveals Fistful of Flaws In Apple's iMessage App (bbc.com) 41

Google researchers have shared details of five flaws in Apple's iMessage software that could make its devices vulnerable to attack. The BBC reports: In one case, the researchers said the vulnerability was so severe that the only way to rescue a targeted iPhone would be to delete all the data off it. Another example, they said, could be used to copy files off a device without requiring the owner to do anything to aid the hack. Apple released fixes last week. But the researchers said they had also flagged a sixth problem to Apple, which had not been rectified in the update to its mobile operating system.

Apple's own notes about iOS 12.4 indicate that the unfixed flaw could give hackers a means to crash an app or execute commands of their own on recent iPhones, iPads and iPod Touches if they were able to discover it. Apple has not commented on this specific issue, but has urged users to install the new version of iOS, which addresses Google's other discoveries as well as a further range of glitches and threats. One of the two Google researchers involved - Natalie Silvanovich - intends to share more details of her findings at a presentation at the Black Hat conference in Las Vegas next month.

This discussion has been archived. No new comments can be posted.

Google Reveals Fistful of Flaws In Apple's iMessage App

Comments Filter:
  • by Anonymous Coward

    millions of iPhones will have these bugs fixed within the month

    • by ffejie ( 779512 )
      Totally agree that Android's update process for major OS upgrades is in bad shape. It also makes it difficult for developers.

      In the last few years, Google has decoupled [computerworld.com] a lot of important APIs and system level calls from the OS. As a result, they have become much better about pushing major security changes through Google Play Services. You'll see these updates relatively frequently, and a lot of times, they are less disruptive than iOS pushing out a maintenance release which requires a full reboot. If yo
    • by tlhIngan ( 30335 )

      millions of iPhones will have these bugs fixed within the month

      Actually, Google's disclosing them because Apple's already fixed them and issued a patch - iOS 12.4 fixes all but one of the bugs. Google's holding back on the last one so Apple can fix it too.

      So the update should be showing up on pretty much every iPhone 5S and later already.

  • Bad actors (Score:2, Informative)

    by Anonymous Coward

    You cannot convince me that google security research is a white hat operation. They have too much financial interest in publicizing security flaws of their competitors. I would love to see Apple or Microsoft or whoever they do this to next to try suing Google.

    • Re: Bad actors (Score:2, Informative)

      by Anonymous Coward

      "Sue Google" written in permanent marker. Seriously. Evict Google from your life.

    • Who cares? Adversarial or not, the users win either way, with more secure products.

      Apple wouldn't get far suing anyone for pointing out Apple's own bugs for them (it's been tried) - but if they wanted to "retaliate" by responsibly disclosing bugs in Google products, I for one would welcome that.

    • by AmiMoJo ( 196126 )

      They practice responsible disclosure. Once notified a vendor has 90 days to fix the problem and start shipping patches. That strikes a balance between giving the vendor time to act and protecting users from vulnerabilities that might be discovered by others.

      The alternative to Google finding these flaws is that someone else does, and either exploits them for profit or does the same thing that Google did with responsible disclosure.

      What would Apple sue Google for, protecting their users?

    • This sort of "corporate tattling" is also how the government finds out Company A has been lying about the vitamin content of its baby formula, or that its Grape Juice Drink is mostly apple juice.
  • by Anonymous Coward

    already patched, flaws not present in current version of iOS, you know the one that almost every iOS device in the world is running

    • Except where people refuse to install the "latest version" because it adds things they don't want on the phones.Things that are hard to disable.

      There is no separation of "security" and "bloat" updates with Apple, just as there has been no separation in Win10 and Android.

      • by AmiMoJo ( 196126 )

        Actually Android is pretty good with separation. Most stuff can be replaced by other apps, e.g. there are open source replacements for Google services that you can use with Lineage or just install on your Android phone and disable the Google ones.

        If you disable Google services you can uninstall updates to recover disk space. You usually can't completely remove them because they are part of the OS image, but the point is that you don't have to accept updates for them if you don't want to and can mitigate sec

    • Actually, thirteen [apple.com] Google-reported flaws were patched in the current iOS version. But one of them, CVE-2019-8641, is not fully fixed yet in 12.4, and has not been disclosed.

      • So, is Google trying to supplement their income by seeking bug bounties from Apple?

        Unlike a full OS update, these security fixes added no bloatware to the device.

        And, frankly, if someone wants to stay on an old, unpatched OS when security updates exist, well, that's their problem.

        • So, is Google trying to supplement their income by seeking bug bounties from Apple?

          This is Google's Project Zero team. They attack all sorts of widely-used systems in an effort to improve the state of computer security. They don't collect bug bounties, and it's not an attempt to make Google's competitors look bad, because they attack Google's own stuff as well -- including applying their strict 90-day disclosure policy.

          P0 is an essentially altruistic project, conceived and organized by leaders in Google's security organizations who are personally passionate about security and have eno

  • by Narcocide ( 102829 ) on Tuesday July 30, 2019 @09:44PM (#59015666) Homepage

    More of Apple and Google spending their own money finding each other's security holes.

  • by chispito ( 1870390 ) on Wednesday July 31, 2019 @09:46AM (#59017362)
    ..."A Few Flaws More" and, especially, "The Good, the Bad, and the Buggy."

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...