Apple users, patch now! The ‘bug that got away’ has been fixed

Update. Not long after we published this article, Apple announced iOS 13.1.1, fixing yet another bug.
See below for the details of which updates came out when. [2019-09-27T18:10Z]

Remember the Black Hat conference of 2019?

Chances are you didn’t attend – even though it’s a huge event, the vast majority of cybersecurity professionals only experience it remotely – but you probably heard about some of the more dramatic talk titles…

…including one from Google with the intriguing title Look, no hands! – The remote, interaction-less attack surface of the iPhone.

The talk was presented by well-known Google Project Zero researcher Natalie Silvanovich, and it covered a wide-ranging vulnerability research project conduced by Silvanovich and her colleague Samuel Groß.

They decided to dig into the software components in your iPhone that automatically process data uploaded from the outside, to see if they could find bugs that might be remotely exploitable.

Silvanovich and Groß investigated five message-handling components on the iPhone: SMS, MMS, Visual voicemail, email and iMessage.

The idea was to search not for security bugs by which you could be tricked into making a serious security blunder, but for holes by which your device itself could be tricked without you even being involved.

They found several such flaws, denoted by the following CVE numbers: CVE-2019-8624, -8641, -8647, -8660, -8661, -8662, and -8663.

Most of those holes were revealed to the public in August 2019, following Project Zero’s usual approach of ‘dropping’ detailed descriptions and proof-of-concept code to do with vulnerabilities for which patches already exist.

That’s why we urged you, back in August 2019, to double-check that you were patched up to iOS 12.4 – it’s risky to be unpatched at any time, let alone after exploit code is available to anyone who cares to download it.

Interestingly, Google deliberately kept quiet about CVE-2019-8641 at the time, noting that Apple’s fix “did not fully remediate the issue”.

It looks as though the Project Zero researchers were right, because Apple’s latest slew of updates include a fix explicitly listed as:

   [Component:] Foundation

       Impact:  A remote attacker may be able to cause unexpected 
                application termination or arbitrary code execution

  Description:  An out-of-bounds read was addressed with improved 
                input validation

CVE-2019-8641:  Samuel Groß and Natalie Silvanovich 
                of Google Project Zero

What else?

If you have a Mac, the above patch is the only item listed in the latest update advisory.

The update isn’t big enough to get a new release number of its own, so it’s just macOS Mojave 10.14.6 Supplemental Update 2 (or Security Update 2019-005 if you are still on High Sierra 10.13.6 or Sierra 10.12.6).

If you have an iDevice that can’t run iOS 13 – for example, an iPhone 6 or earlier or an iPad mini 3 or earlier – then you get an update to iOS 12.4.2, and the above patch is the only one listed.

But Apple has listed many other fixes in iOS 13 along with the patch for CVE-2019-8641, including:

• Fixing a data leakage bug related to watching movie files.
• Closing another of José Rodríguez’s lock screen bypasses (CVE-2019-8742).
• Beefing up Face ID to make it harder to bypass using 3D models (CVE-2019-8760).
• Stopping a data leak via iOS 13’s new keyboard add-on system (CVE-2019-8704).

Stay put or move forward?

Slightly confusingly, the iOS 13 and iOS 13.1 advisories arrived at the same time, with the iOS 13.1 advisory listing only the patch for the lock screen bug found by José Rodríguez.

We’ve already been asked if this means that anyone who hasn’t yet updated to iOS 13, and who will now end up skipping straight from iOS 12.4.1 to iOS 13.1, will somehow skip the updates listed in the iOS 13 advisory.

The answer is, “No.”

Even more confusingly, less than 24 hours after iOS 13.1 and iOS 13 security advitories were published side-by-side, an update notification for iOS 13.1.1 arrived [2019-09-27T17:24Z in our mailbox] to fix yet another bug (CVE-2019-8779), this time relating to sandbox security.

Apple itself is credited with discovering this bug, so whether it was introduced by one of the recent fixes and needing shovelling out quickly, or had been waiting in the wings anyway, we can’t say.

(For all we know, iOS 13.1.1 might be an emergency patch for a patch that was itself an update to that abovementioned earlier patch that Google claimed “did not fully remediate the issue.”)

Anyway, a fresh install of iOS 13.1.1, or an update from any earlier version of iOS, is a cumulative update with everything you need rolled into it – if you skip over an update and catch up later, you won’t skip the security fixes that were in the one you missed.

We don’t know why Apple didn’t publish its iOS 13 advisory more than a week ago when iOS 13 actually came out.

One guess is that Apple didn’t want to draw too much attention to the fact that although iOS 13 received its CVE-2019-8641 fix more than a week ago, there was no corresponding fix for iOS 12.4.1, which many users were stuck with due to the age of their devices.

Anyway, all supported Apple operating systems now have the revised CVE-2019-8641 update, and it’s worth updating for that alone.

What to do?

On your Mac, go to Apple > About This Mac > Software Update…

On your iPhone, go to Settings > General > Software Update.

If you are already up to date, macOS and iOS will tell you; if not, they’ll offer to do the update right away.

Given that the headline bug in this round of patches could be abused to inject malicious code from a distance – what’s known as RCE, or Remote Code Execution – without waiting for you to click or approve anything, we recommend doing an update check right now.