Latest Apple Text-Bomb Crashes iPhones via Message Notifications

Apple devices are vulnerable to a “text bomb” attack where simply looking at messages or posts containing characters in the Sindhi language can crash devices. Sindhi is an official language used in Pakistan. The bug affects iPhone, iPad, Macs and Apple Watches, and arises from macOS and iOS faili...

Unspecified Vulnerability in Apple iOS and iPadOS Messages Component

Apple iOS and Apple iPadOS are both products of Apple Inc. Apple iOS is an operating system developed for mobile devices. apple iPadOS is an operating system for iPad tablets. messages is one of the components of the application used to send text, photos, and videos. A security vulnerability exis...

CVE-2020-3844

This issue was addressed with improved checks. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1. Users removed from an iMessage conversation may still be able to alter state...

Design/Logic Flaw

This issue was addressed with improved checks. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1. Users removed from an iMessage conversation may still be able to alter state...

CVE-2020-3844

CVE-2020-3844 affects Apple iOS/iPadOS Messages: after a user is removed from an iMessage conversation, an attacker may still alter the state of that conversation. This is tied to the Messages component and was fixed by Apple in iOS 13.3.1 / iPadOS 13.3.1 through improved checks and state handlin...

CVE-2020-3844

This issue was addressed with improved checks. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1. Users removed from an iMessage conversation may still be able to alter state...

Remote iPhone Exploitation Part 2: Bringing Light into the Darkness -- a Remote ASLR Bypass

Posted by Samuel Groß, Project Zero This post is the second in a series about a remote, interactionless iPhone exploit over iMessage.The first blog post, which introduced the exploited vulnerability, can be found here. The initial primitive gained from the vulnerability is an absolute address...

Remote iPhone Exploitation Part 1: Poking Memory via iMessage and CVE-2019-8641

Posted by Samuel Groß, Project Zero Introduction This is the first blog post in a three-part series that will detail how a vulnerability in iMessage can be exploited remotely without any user interaction on iOS 12.4 fixed in iOS 12.4.1 in August 2019. It is essentially a more detailed version of ...

CVE-2019-8659

This issue was addressed with improved checks. This issue is fixed in watchOS 5.3. Users removed from an iMessage conversation may still be able to alter state...

CVE-2019-8659

This issue was addressed with improved checks. This issue is fixed in watchOS 5.3. Users removed from an iMessage conversation may still be able to alter state...

Design/Logic Flaw

This issue was addressed with improved checks. This issue is fixed in watchOS 5.3. Users removed from an iMessage conversation may still be able to alter state...

CVE-2019-8659

CVE-2019-8659 pertains to watchOS Messages: after removal from an iMessage conversation, a user may still alter state. Affected: watchOS 5.x (watchOS 5.3 fixed). Root cause: issue was addressed via improved checks in the Messages component. Impact stated: state alteration in iMessage context; no ...

CVE-2019-8659

This issue was addressed with improved checks. This issue is fixed in watchOS 5.3. Users removed from an iMessage conversation may still be able to alter state...

New Linux Bug Lets Attackers Hijack Encrypted VPN Connections

A team of cybersecurity researchers has disclosed a new severe vulnerability affecting most Linux and Unix-like operating systems, including FreeBSD, OpenBSD, macOS, iOS, and Android, that could allow remote 'network adjacent attackers' to spy on and tamper with encrypted VPN connections. The...

iMessage - Decoding NSSharedKeyDictionary can read ObjC Object at Attacker Controlled Address

During processing of incoming iMessages, attacker controlled data is deserialized using the NSUnarchiver API. One of the classes that is allowed to be decoded from the incoming data is NSDictionary. However, due to the logic of NSUnarchiver, all subclasses of NSDictionary that also implement secu...

iMessage - Decoding NSSharedKeyDictionary can read ObjC Object at Attacker Controlled Address

iMessage - Decoding NSSharedKeyDictionary can read ObjC Object at Attacker Controlled Address During processing of incoming iMessages, attacker controlled data is deserialized using the NSUnarchiver API. One of the classes that is allowed to be decoded from the incoming data is NSDictionary...

iMessage - Decoding NSSharedKeyDictionary can read ObjC Object at Attacker Controlled Address

During processing of incoming iMessages, attacker controlled data is deserialized using the NSUnarchiver API. One of the classes that is allowed to be decoded from the incoming data is NSDictionary. However, due to the logic of NSUnarchiver, all subclasses of NSDictionary that also implement secu...

iMessage - Decoding NSSharedKeyDictionary Can Read Object Out of Bounds Exploit

When an NSKeyedUnarchiver decodes an object, it first allocates the object using allocWithZone, and then puts the object into a dictionary for temporary objects. It then calls the appropriate initWithCoder: on the allocated object. If initWithCoder: or any method it calls decodes the same object,...

iMessage - Decoding NSSharedKeyDictionary Can Read Object Out of Bounds

When an NSKeyedUnarchiver decodes an object, it first allocates the object using allocWithZone, and then puts the object into a dictionary for temporary objects. It then calls the appropriate initWithCoder: on the allocated object. If initWithCoder: or any method it calls decodes the same object,...

In-depth exploration found in the wild iOS exploit chain VII-vulnerability warning-the black bar safety net

In a previous article, we studied how could an attacker on the iPhone as root for a sandbox escape code execution. In each chain at the end you can see the attacker calls posixspawn, the path passed to the/ tmp directory, the malicious binary file. Implanted code in the background to run as root,...