Five of the bugs were fully patched in the iOS 12.4 update released on July 22, but one vulnerability remains unpatched. The researchers who spotted the bugs, Natalie Silvanovich and Samuel Grob, are holding off on sharing the details of the unpatched vulnerability until after a 90-day disclosure deadline has passed.
The other bugs will be discussed and exploited in real-time at the Black Hat security conference in Las Vegas next week.
Remote vulnerabilities
In a series of tweets, Silvanovish explained that most of the bugs discovered were “interactionless,” meaning malicious code from hackers doesn’t require significant user interaction in order to be executed.
During her presentation at the Black Hat security conference, Silvanovich will discuss “the remote, interaction-less attack surface of iOS” and the “potential for vulnerabilities in SMS, MMS, Visual Voicemail, iMessage and Mail.” She will also play out two examples of vulnerabilities discovered.
ZDNet notes that the types of bugs that were found would have sold for over $5 million if they had been sold on the black market since they are in high demand among hackers.