Security researchers at Google have discovered six flaws in Apple’s iMessage software that could impact the iOS operating system and make the devices vulnerable to attacks. The bugs were discovered by Natalie Silvanovich and Samuel Grob, digital forensic experts at Google Project Zero.
However, Apple has released fixes for the vulnerabilities recently and urged the users to update. But the researchers said the patch for the sixth discovered bug is not yet provided in the update to its mobile operating system.
According to the researchers, four of the six security bugs, CVE-2019-8641, CVE-2019-8647, CVE-2019-8660, and CVE-2019-8662 can execute malicious code on a remote iOS device, without user’s knowledge. The bug can be exploited when an attacker sends a malicious message to the victim’s phone, which will be executed when a user opens and views the received message.
The researcher described that the fifth and sixth bugs, CVE-2019-8624 and CVE-2019-8646, allow an attacker to leak data from a device’s memory and can read files without the user interaction.
Earlier Natalie Silvanovich discovered that answering a WhatsApp video call can compromise smartphones. The researcher stated that a security bug in the WhatsApp messenger application allows attackers to take control of the smartphone by placing a WhatsApp video call. Describing the issue as a “memory corruption bug in WhatsApp’s non-WebRTC video conferencing implementation,” Silvanovich stated that a memory heap overflow issue causes when an attacker places a specially created malformed RTP (Real-time Transport Protocol) via WhatsApp video call request, resulting in the break-in to the mobile memory.
The security flaw discovered in August 2018 affected the WhatsApp application on Android and iOS devices, but not on WhatsApp Web, the research report stated. The Facebook-owned messaging app fixed the flaw on September 28 for the Android platform and October 3 for the iPhone platform after Silvanovich reported the issue to the WhatsApp team.