Google Project Zero researchers discovered six iPhone security vulnerabilities, one of which remains unpatched, and four of which could lead to the execution of malicious code.
All of the vulnerabilities are “interaction-less,” meaning they can be run without any interaction from a user and can be exploited via SMS, MMS, Visual Voicemail, iMessage and Mail, according to an abstract of a presentation the researchers will give at Black Hat 2019 that will reveal details of the exploits.
Four of the flaws can be exploited via an attacker sending malicious code to an unpatched device and can execute as soon as the user opens the message while the other two flaws rely on a memory exploit.
Five of the vulnerabilities were addressed in the iOS 12.4 update, the details of which have already been published however, the final bug will remain confidential until it can be addressed by Apple.
If sold on the black market, the vulnerabilities could go for at least $1 million apiece, according to a price chart published by Zerodium, while some estimate the researchers could get as much as $10 million for details of the flaws.