The flaw allowed hackers to access and read the contents of files stored on iOS devices remotely. They could access files the same way as the device owner with no sandbox, and with no user interaction needed.
The issue was discovered by Natalie Silvanovich, who is a security research with Google's Project Zero. As a proof of concept, she created a demo that only works on devices running iOS 12 or later. She describes it as "a simple example to demonstrate the reach-ability of the class in Springboard. The actual consequences of the bug are likely more serious."
In describing the issue itself, Silvanovich had this to say:
"First, it could potentially allow undesired access to local files if the code deserializing the buffer ever shares it (this is more likely to cause problems in components that use serialized objects to communicate locally than in iMessage). Second, it allows an NSData object to be created with a length that is different than the length of its byte array. This violates a very basic property that should always be true of NSData objects. This can allow out of bounds reads, and could also potentially lead to out-of-bounds writes, as it is now possible to create NSData objects with very large sizes that would not be possible if the buffer was backed."
As mentioned, this bug has already been patched, along with two other iMessage vulnerabilities that Silvanovich recently discovered. All of them were addressed in Apple's most recent (12.4) update. If you're not in the habit of installing security updates automatically, then you'll need to grab this one and install it manually at your earliest convenience.
Smart gadgets and devices are everywhere. Regardless of the brand, a prudent owner will find ways to make sure that all their smartphones, computers, laptops, and network in general is safe against potential vulnerabilities that could put their pertinent information at risk. Call SpartanTec, Inc. in Wilmington NC to make sure that efficient security measures are in place to protect your personal information, business, and clients from the many different online threats today.
SpartanTec, Inc.
Wilmington, NC 28412
(910) 218-9255
No comments:
Post a Comment