Apple released iOS 12.4 over a week ago, and many iOS users have still not updated to the latest version. Now those who haven’t yet updated to iOS 12.4 now have a good incentive to do so. They risk losing their privacy and security.
Google researchers recently disclosed six serious vulnerabilities in iOS, and Apple has fully fixed five of them in iOS 12.4. According to ZDNet, the iOS vulnerabilities were discovered by Google Project Zero researchers Natalie Silvanovich and Samuel Groß.
The iOS vulnerabilities discovered by the researchers are “interactionless.” This means they are capable of doing their job without any interaction from users. All the exploits use vulnerabilities in the iMessage client. These vulnerabilities in Messages could allow hackers to take control of your device remotely.
Four of the newly-discovered vulnerabilities, including the one not patched yet, require the attacker to send a message. The exploit is executed as soon as the victim opens the message. The other two vulnerabilities depend on a memory exploit.
Details about the five vulnerabilities that have been patched are available online, while the unpatched vulnerability will remain confidential until Apple fixes it. In a tweet, Silvanovich noted that they have not yet revealed one bug because “the fix in the advisory did not resolve the vulnerability.”
The Google researchers first reported the flaws to Apple in May. They affect all iPhone models starting with the 5s, iPod touch devices, and the iPad Air and later. To learn more about these bugs, visit the Google Project Zero bug-reporting website. The code-names of the five patched bugs are CVE-2019-8647, CVE-2019-8660, CVE-2019-8662, CVE-2019-8624 and CVE-2019-8646, while the one that is unpatched is CVE-2019-8641. More information on these bugs could be released next week when Silvanovich gives a presentation at the Black Hat security conference in Las Vegas.
“This presentation explores the remote, interaction-less attack surface of iOS. It discusses the potential for vulnerabilities in SMS, MMS, Visual Voicemail, iMessage and Mail, and explains how to set up tooling to test these components,” an abstract of Silvanovich’s talk states.
Silvanovich’s presentation is expected to get a lot of attention as no-user-interaction iOS bugs are among the best tools available to hackers, allowing them to take control of devices undetected. According to a price chart by Zerodium, such vulnerabilities can sell on the exploit market for over $1 million. This means the exploits discovered by Google researchers would be worth over $5 million.
All you need to do to stay safe from these iOS vulnerabilities is to update to iOS 12.4.
Although users are expected to update to the latest version when it is released, some users like to wait for a while before installing the new version. Apple’s own statistics support this. In fact, the company says many users haven’t yet updated to iOS 12, let alone iOS 12.4. According to Apple, about 13% of the iPhones and iPads purchased in the last five years haven’t been updated to iOS 12. Thirteen percent may not appear a big number at first glance. However, if you consider that Apple sold over 1 billion iPhones between 2016 and 2018, this 13% turns into millions of devices.
Apple is no longer signing iOS 12.3, iOS 12.3.1, and iOS 12.3.2. This means users who updated to iOS 12.4 won’t be able to downgrade to an earlier version. Apple usually stops signing older versions a few weeks after releasing an updated version.
However, this time Apple is ending the downgrade option earlier; iOS 12.4 was released just last week following an extended beta testing period. Downgrading is beneficial for those who want to jailbreak. Often it is also useful for users who experience significant bugs after installing the latest iOS version.
Now iPhone, iPad, and iPod touch owners who have upgraded to iOS 12.4 won’t be able to downgrade to an older iOS version. The only version available now for iPhones and iPads is iOS 12.4. However, developers and public beta testers can download the beta version of iOS 13.
Apple released iOS 12.3.1 in May with several bug fixes related to VoLTE and iMessage, while 12.3.2 came several weeks later. Version 12.3.2 was available only for iPhone 8 Plus users and included Portrait mode bug fixes in the Camera app.
With iOS 12.4, Apple added the ability to wirelessly transfer data from an old iPhone to a new one. iOS 12.4 also updates Apple News, making downloaded issues accessible in the My Magazines section and adding all publications in Apple News+. Users now will also be able to clear downloaded magazine issues by heading to History > Clear > Clear All.
Additionally, Apple re-enabled Walkie-Talkie functionality with iOS 12.4 and laid the groundwork for Apple Card, which is expected to debut anytime now.