Skip to content
Naked Security Naked Security

Apple users, patch now! The ‘bug that got away’ has been fixed

Apple has now patched the patch that Google said didn't patch the hole it was supposed to.

Update. Not long after we published this article, Apple announced iOS 13.1.1, fixing yet another bug.
See below for the details of which updates came out when. [2019-09-27T18:10Z]

Remember the Black Hat conference of 2019?

Chances are you didn’t attend – even though it’s a huge event, the vast majority of cybersecurity professionals only experience it remotely – but you probably heard about some of the more dramatic talk titles…

…including one from Google with the intriguing title Look, no hands! – The remote, interaction-less attack surface of the iPhone.

The talk was presented by well-known Google Project Zero researcher Natalie Silvanovich, and it covered a wide-ranging vulnerability research project conduced by Silvanovich and her colleague Samuel Groß.

They decided to dig into the software components in your iPhone that automatically process data uploaded from the outside, to see if they could find bugs that might be remotely exploitable.

Silvanovich and Groß investigated five message-handling components on the iPhone: SMS, MMS, Visual voicemail, email and iMessage.

The idea was to search not for security bugs by which you could be tricked into making a serious security blunder, but for holes by which your device itself could be tricked without you even being involved.

They found several such flaws, denoted by the following CVE numbers: CVE-2019-8624, -8641, -8647, -8660, -8661, -8662, and -8663.

Most of those holes were revealed to the public in August 2019, following Project Zero’s usual approach of ‘dropping’ detailed descriptions and proof-of-concept code to do with vulnerabilities for which patches already exist.

That’s why we urged you, back in August 2019, to double-check that you were patched up to iOS 12.4 – it’s risky to be unpatched at any time, let alone after exploit code is available to anyone who cares to download it.

Interestingly, Google deliberately kept quiet about CVE-2019-8641 at the time, noting that Apple’s fix “did not fully remediate the issue”.

It looks as though the Project Zero researchers were right, because Apple’s latest slew of updates include a fix explicitly listed as:

   [Component:] Foundation

       Impact:  A remote attacker may be able to cause unexpected 
                application termination or arbitrary code execution

  Description:  An out-of-bounds read was addressed with improved 
                input validation

CVE-2019-8641:  Samuel Groß and Natalie Silvanovich 
                of Google Project Zero

What else?

If you have a Mac, the above patch is the only item listed in the latest update advisory.

The update isn’t big enough to get a new release number of its own, so it’s just macOS Mojave 10.14.6 Supplemental Update 2 (or Security Update 2019-005 if you are still on High Sierra 10.13.6 or Sierra 10.12.6).

If you have an iDevice that can’t run iOS 13 – for example, an iPhone 6 or earlier or an iPad mini 3 or earlier – then you get an update to iOS 12.4.2, and the above patch is the only one listed.

But Apple has listed many other fixes in iOS 13 along with the patch for CVE-2019-8641, including:

  • Fixing a data leakage bug related to watching movie files.
  • Closing another of José Rodríguez’s lock screen bypasses (CVE-2019-8742).
  • Beefing up Face ID to make it harder to bypass using 3D models (CVE-2019-8760).
  • Stopping a data leak via iOS 13’s new keyboard add-on system (CVE-2019-8704).

Stay put or move forward?

Slightly confusingly, the iOS 13 and iOS 13.1 advisories arrived at the same time, with the iOS 13.1 advisory listing only the patch for the lock screen bug found by José Rodríguez.

We’ve already been asked if this means that anyone who hasn’t yet updated to iOS 13, and who will now end up skipping straight from iOS 12.4.1 to iOS 13.1, will somehow skip the updates listed in the iOS 13 advisory.

The answer is, “No.”

Even more confusingly, less than 24 hours after iOS 13.1 and iOS 13 security advitories were published side-by-side, an update notification for iOS 13.1.1 arrived [2019-09-27T17:24Z in our mailbox] to fix yet another bug (CVE-2019-8779), this time relating to sandbox security.

Apple itself is credited with discovering this bug, so whether it was introduced by one of the recent fixes and needing shovelling out quickly, or had been waiting in the wings anyway, we can’t say.

(For all we know, iOS 13.1.1 might be an emergency patch for a patch that was itself an update to that abovementioned earlier patch that Google claimed “did not fully remediate the issue.”)

Anyway, a fresh install of iOS 13.1.1, or an update from any earlier version of iOS, is a cumulative update with everything you need rolled into it – if you skip over an update and catch up later, you won’t skip the security fixes that were in the one you missed.

We don’t know why Apple didn’t publish its iOS 13 advisory more than a week ago when iOS 13 actually came out.

One guess is that Apple didn’t want to draw too much attention to the fact that although iOS 13 received its CVE-2019-8641 fix more than a week ago, there was no corresponding fix for iOS 12.4.1, which many users were stuck with due to the age of their devices.

Anyway, all supported Apple operating systems now have the revised CVE-2019-8641 update, and it’s worth updating for that alone.

What to do?

On your Mac, go to AppleAbout This MacSoftware Update…

On your iPhone, go to SettingsGeneralSoftware Update.

If you are already up to date, macOS and iOS will tell you; if not, they’ll offer to do the update right away.

Given that the headline bug in this round of patches could be abused to inject malicious code from a distance – what’s known as RCE, or Remote Code Execution – without waiting for you to click or approve anything, we recommend doing an update check right now.


Woke up today with yet another patch. 13.1 lasted all of about a day or two, now say hello to 13.1.1


Just got the email myself, 10 minutes before your comment! Updating the article now…

…and I feel a limerick coming on:

I checked for an update today
To make sure my iPhone's OK
Then I went back tonight
And I got a real fright.
There's an updated update, oy vey!


It’s not clear what updates I can expect for my iPad 4, which is limited to IOS 10 – is there any chance of this update being extended to it? Or must I expect to fall victim to this exploit?


IIRC the iPad 4 was the last of the 32-bit iDevices. Apple only makes 64-bit OSes now so the chance of an update is quite literally zero.

Of course, that probably also means that none of the exploits discussed here apply to your iOS version…


Ah, safety through obscurity! Hopefully you are right, and thanks for the thought.


Of course, you almost certainly *are* vulnerable to a bunch of ancient exploits everyone else doesn’t need to worry about.


I made my flippant remark with regard to the exploit you wrote about above, not all the ancient ones that still exist aimed at my device.
This is the major failing of Apple devices, where updates apply only to recent models, whereas Microsoft updates apply to all devices until they decide to stop updating an old version of Windows.


I have a mac running El Cap 10.11.6 but Apple say there are no updates available. Is El Cap not supported or not at risk?


Unsupported, AFAIK.

I don’t know if this is an Apple “rule”, but macOS security support (in the form of official patches) generally covers the current, previous and pre-previous versions, so El Cap has been unsupported since 10.14 came out a year ago…

…and 10.12 will fall off the map soon when 10.15 comes out.

If your Mac is too old to update to 10.13 and you want to get into the habit of security patches then you will need to switch to an OS that’s supported on your device, e.g one of the BSDs or Linux.


Thanks Paul. My Mac is an early 2009 24″ which is used to edit photographs so I am not too bothered if it cannot be upgraded to run later OS. I have a macbook pro with Mojave on so I am up to date,so far. Keep up the good work.


What I would like to see is the fix for the iphotos app that is on the Imac. For the past 1.5 years now I have been having problems where my photos app keeps shutting down especially in the middle of editing, and after I was told to wait for mojava to come out, and it’s out, yet I’m still having all the same issues where my photos are. About time it was fixed.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!