Six serious security vulnerabilities that were patched in the iOS 12.4 update released earlier this month were originally discovered by security researchers at Google.
Natalie Silvanovich and Samuel Groß, two members of Google’s Project Zero bug-hunting team, warned Apple about the issues. Silvanovich will be laying out the details on several bugs and offer a demonstration of exploits in action at the Black Hat security conference set to be held in Las Vegas next week.
The majority of the vulnerabilities discovered by Google were so-called “interaction less” bugs, which means that they can be executed on a remote iOS device without requiring any sort of direct interaction with the phone. An attacker simply has to send malicious code via iMessage and wait for the victim to open it. Because these “interaction less” bugs are in huge demand for hackers, the security flaws discovered would have sold on the black market or other seedy parts of the internet for as much as $5 million apiece, according to ZDNet.
Details of the five patched bugs have been published online, but the final bug will remain confidential until it can be addressed by the tech giant. Regardless, if users haven’t updated their iPhone to iOS 12.4, now might be a good time. Silvanovich will soon host a discussion on interaction fewer iPhone attacks at next week’s Black Hat security conference in Las Vegas.
It seems we are fortunate enough that these vulnerabilities were discovered by security researchers who had no interest in exploiting them for their benefit. ZDNet notes that bugs like these are invaluable to manufacturers of intercept tools and surveillance software, and the genuine customer would likely pay millions for access to them before Apple can patch its software in defense. By disclosing these bugs to the giant tech, these security researchers have done a service to iOS users worldwide.