Apple is pretty conscientious about rolling out security updates but, for one reason or another, some users may not be as enthusiastic about installing them. Some may have been burned by previous updates that may have caused more problems than they fixed. Such users, however, may want to immediately update to iOS 12.4 as soon as the coast is clear. It turns out that the maintenance update contains fixes to at least for critical security bugs that, according to the researchers that discovered them, could have been valued at $5 million or more.
The reason for such a high value for these bags is that these bugs require no interaction from the user to trigger. They simply need to open a malformed message sent by a hacker and they’re already compromised. These kinds of “no user interaction” exploits are highly priced in the hacker market and, therefore, fetch a high price among bug hunters as well.
Apple runs a tight ship so exploits like these are often rare. It turns out, however, that these six bugs reported by two members of Google’s Project Zero affects Apple’s own iMessage or Messages iOS app. This isn’t the first of its kind though, as there was recently a bug that affected Messages as well as other third-party messaging apps, causing them to crash after receiving a single invisible character.
The vulnerabilities reported by Natalie Silvanovich and her co-researcher, however, have bigger security implications. Four of those would have allowed the execution of arbitrary code when the malicious message is opened. The other two would have allowed the attacker to read data from the device without user interaction or knowledge.
The first four of the six have been patched in iOS 12.4 but the existence of proof of concept exploits means users should update as soon as possible. The other two data-leaking bugs don’t have patches yet, which is why details about them are still kept behind closed doors.