This Nasty Apple iMessage Bug Could Have Bricked Your iPhone
There are few things more inconvenient in the modern world than a bricked smartphone. A security researcher recently disclosed an iMessage bug that could brick a user’s iPhone. The bug was severe enough to require users to wipe and restore their device.
What caused the bothersome issue? Google Project Zero security researcher Natalie Silvanovich noted that a “malformed message” contained a text key, but not a string. She noted that another method would try to use the key as if it was a string without confirmation. This created “an exception as the selector does not exist in that class”.
This exception caused Springboard, an application launcher for iPhones, to crash and the device to stop responding. The bug even persisted after a hard reset. Unfortunately, there was no easy way to resolve this bug. Users had to wipe their device with the 'Find my iPhone', put the device in recovery mode and update it through iTunes, or remove their SIM card and wipe the device. iOS 12.3 resolved the issue this past May and this flaw should no longer be an issue.
Google Project Zero’s mission is to find zero-day vulnerabilities and other security flaws that could potentially pose a serious security threat. They have discovered and helped to patch a wide variety of exploits. This past March, they exposed a severe macOS XNU kernel flaw. The kernel allowed copy-on-write (COW) behavior that could help attackers mutate an on-disk file without informing the virtual management subsystem.
The Google Project Zero team supposedly reported the issue to Apple in November 2018. They then published their discovery once it became clear that Apple had done nothing after 90 days to fix the flaw. Shortly afterward, Apple agreed to work on a patch and incorporate it into future updates.
Project Zero most recently found a security vulnerability in the Mozilla Firefox browser. According to Mozilla “ a type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash.” This vulnerability could enable hackers to install malware on a user’s device by tricking users into visiting certain websites. Thankfully, Mozilla responded quickly and released a patch immediately.
What caused the bothersome issue? Google Project Zero security researcher Natalie Silvanovich noted that a “malformed message” contained a text key, but not a string. She noted that another method would try to use the key as if it was a string without confirmation. This created “an exception as the selector does not exist in that class”.
This exception caused Springboard, an application launcher for iPhones, to crash and the device to stop responding. The bug even persisted after a hard reset. Unfortunately, there was no easy way to resolve this bug. Users had to wipe their device with the 'Find my iPhone', put the device in recovery mode and update it through iTunes, or remove their SIM card and wipe the device. iOS 12.3 resolved the issue this past May and this flaw should no longer be an issue.
Google Project Zero’s mission is to find zero-day vulnerabilities and other security flaws that could potentially pose a serious security threat. They have discovered and helped to patch a wide variety of exploits. This past March, they exposed a severe macOS XNU kernel flaw. The kernel allowed copy-on-write (COW) behavior that could help attackers mutate an on-disk file without informing the virtual management subsystem.
The Google Project Zero team supposedly reported the issue to Apple in November 2018. They then published their discovery once it became clear that Apple had done nothing after 90 days to fix the flaw. Shortly afterward, Apple agreed to work on a patch and incorporate it into future updates.
Project Zero most recently found a security vulnerability in the Mozilla Firefox browser. According to Mozilla “ a type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash.” This vulnerability could enable hackers to install malware on a user’s device by tricking users into visiting certain websites. Thankfully, Mozilla responded quickly and released a patch immediately.
