It turns out that, prior to the fix, hackers had the ability to send iMessagers special links that, when clicked, granted access to the otherwise encrypted messages sent between iPhone users. In fact, so simple was the vulnerability that security researchers at Bishop Fox said that, “You don’t need a graduate degree in mathematics to exploit it, nor does it require advanced knowledge of memory management, shellcode, or ROP chains.” But now, Apple has addressed the issue, and your correspondence is safe once more.
While the problem has been addressed, it does nothing for the security reputation of Apple, who has recently had their iPhone hacked by the FBI as well as by researchers at John Hopkins, who published their own findings on iPhone vulnerabilities just a few weeks ago. This latest hole was discovered by researchers Joe DeMesy and Shubham Shah of Bishop Fox, along with Matt Bryant of Uber’s security team. The trio told Apple before they told the public, and thus far, there’s no evidence to suggest that any iMessage user fell victim to an attack as a result from the security flaw.
According to VentureBeat, an iMessage attack of this nature would have relied upon “javascript code in place of an iMessage URL in a classic cross-scripting attack.” The vulnerability was addressed with the CVE-2016-1764 update, which went into effect last month, so users now have no reason to worry. Of course, any sort of security flaw within Apple generally causes some sort of ruckus, but the company has yet to respond to requests for comment. In the meantime, however, rest assured that the latest version of Apple’s software contains no such holes — so if you haven’t yet updated, hop to.
