The flaw allowed hackers to access and read the contents of files stored on iOS devices remotely. They could access files the same way as the device owner with no sandbox, and with no user interaction needed.
The issue was discovered by Natalie Silvanovich, who is a security research with Google’s Project Zero. As a proof of concept, she created a demo that only works on devices running iOS 12 or later. She describes it as “a simple example to demonstrate the reach-ability of the class in Springboard. The actual consequences of the bug are likely more serious.”
In describing the issue itself, Silvanovich had this to say:
“First, it could potentially allow undesired access to local files if the code deserializing the buffer ever shares it (this is more likely to cause problems in components that use serialized objects to communicate locally than in iMessage). Second, it allows an NSData object to be created with a length that is different than the length of its byte array. This violates a very basic property that should always be true of NSData objects. This can allow out of bounds reads, and could also potentially lead to out-of-bounds writes, as it is now possible to create NSData objects with very large sizes that would not be possible if the buffer was backed.”
As mentioned, this bug has already been patched, along with two other iMessage vulnerabilities that Silvanovich recently discovered. All of them were addressed in Apple’s most recent (12.4) update. If you’re not in the habit of installing security updates automatically, then you’ll need to grab this one and install it manually at your earliest convenience.
Used with permission from Article Aggregator