Apple iPhone/iPad users - Upgrade you iOS to 12.4 - Apple has fully patched five of six critical flaws including CVE-2019-8624 and CVE-2019-8646, which allow an attacker to read files off an iOS device remotely, without any interaction from the victim. The code to exploit these vulnerabilities is publicly available.

Only 9.6 percent of devices have been updated to iOS 12.4, as of August 1 – 10 days after the patch was released on July 22 and three days after the vulnerability was disclosed to the public on July 29.

“The exploit initiates a dump of the victim’s iMessage database and compromises the iOS sandbox, putting files on the device at risk,” explained Cuddeford, in a post on Thursday. “This vulnerability calls into question the integrity of iOS sandboxing, which is one of the most significant fundamentals of the entire iOS security model. This iMessage exploit has similar implications to a jailbreak in that the weakness in iMessage exposes the file space on the device.”


https://threatpost.com/90-enterprise-iphone-users-imessage-spy-attack/146899/