Apple users, patch now! The ‘bug that got away’ has been fixed
Credit to Author: Paul Ducklin| Date: Fri, 27 Sep 2019 13:13:21 +0000
Remember the Black Hat conference of 2019?
Chances are you didn’t attend – even though it’s a huge event, the vast majority of cybersecurity professionals only experience it remotely – but you probably heard about some of the more dramatic talk titles…
…including one from Google with the intriguing title Look, no hands! – The remote, interaction-less attack surface of the iPhone.
The talk was presented by well-known Google Project Zero researcher Natalie Silvanovich, and it covered a wide-ranging vulnerability research project conduced by Silvanovich and her colleague Samuel Groß.
They decided to dig into the software components in your iPhone that automatically process data uploaded from the outside, to see if they could find bugs that might be remotely exploitable.
Silvanovich and Groß investigated five message-handling components on the iPhone: SMS, MMS, Visual voicemail, email and iMessage.
The idea was to search not for security bugs by which you could be tricked into making a serious security blunder, but for holes by which your device itself could be tricked without you even being involved.
They found several such flaws, denoted by the following CVE numbers: CVE-2019-8624, -8641, -8647, -8660, -8661, -8662, and -8663.
Most of those holes were revealed to the public in August 2019, following Project Zero’s usual approach of ‘dropping’ detailed descriptions and proof-of-concept code to do with vulnerabilities for which patches already exist.
That’s why we urged you, back in August 2019, to double-check that you were patched up to iOS 12.4 – it’s risky to be unpatched at any time, let alone after exploit code is available to anyone who cares to download it.
Interestingly, Google deliberately kept quiet about CVE-2019-8641 at the time, noting that Apple’s fix “did not fully remediate the issue”.
It looks as though the Project Zero researchers were right, because Apple’s latest slew of updates include a fix explicitly listed as:
[Component:] Foundation Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation CVE-2019-8641: Samuel Groß and Natalie Silvanovich of Google Project Zero
What else?
If you have a Mac, the above patch is the only item listed in the latest update advisory.
The update isn’t big enough to get a new release number of its own, so it’s just macOS Mojave 10.14.6 Supplemental Update 2 (or Security Update 2019-005 if you are still on High Sierra 10.13.6 or Sierra 10.12.6).
If you have an iDevice that can’t run iOS 13 – for example, an iPhone 6 or earlier or an iPad mini 3 or earlier – then you get an update to iOS 12.4.2, and the above patch is the only one listed.
But Apple has listed many other fixes in iOS 13 along with the patch for CVE-2019-8641, including:
- Fixing a data leakage bug related to watching movie files.
- Closing another of José Rodríguez’s lock screen bypasses (CVE-2019-8742).
- Beefing up Face ID to make it harder to bypass using 3D models (CVE-2019-8760).
- Stopping a data leak via iOS 13’s new keyboard add-on system (CVE-2019-8704).
Stay put or move forward?
Slightly confusingly, the iOS 13 and iOS 13.1 advisories arrived at the same time, with the iOS 13.1 advisory listing only the patch for the lock screen bug found by José Rodríguez.
We’ve already been asked if this means that anyone who hasn’t yet updated to iOS 13, and who will now end up skipping straight from iOS 12.4.1 to iOS 13.1, will somehow skip the updates listed in the iOS 13 advisory.
As far as we can tell, the answer is, “No.”
A fresh install of iOS 13.1, or an update from any earlier version of iOS, is a cumulative update with everything you need rolled into it – if you skip over an update, you won’t skip the security fixes that were in it.
We don’t know why Apple didn’t publish its iOS 13 advisory when iOS actually came out, instead of confusingly giving the impression that iOS 13 and 13.1 are alternative choices that are both available now.
One guess is that Apple didn’t want to draw too much attention to the fact that although iOS 13 received its CVE-2019-8641 fix more than a week ago, there was no corresponding fix for iOS 12.4.1, which many users were stuck with due to the age of their devices.
Anyway, all supported Apple operating systems now have the revised CVE-2019-8641 update, and it’s worth updating for that alone.
What to do?
On your Mac, go to Apple > About This Mac > Software Update…
On your iPhone, go to Settings > General > Software Update.
If you are already up to date, macOS and iOS will tell you; if not, they’ll offer to do the update right away.
Given that the headline bug in this round of patches could be abused to inject malicious code from a distance – what’s known as RCE, or Remote Code Execution – without waiting for you to click or approve anything, we recommend doing an update check right now.