Project Zero researchers Natalie Silvanovich and Samuel Groß describe the vulnerabilities as “interactionless.” In other words, no action on the user’s part is needed to exploit the device. For at least four of them, however, the user must open a malicious message.
The iMessage client was the source of the weaknesses. Four of them (CVE-2019-8647, CVE-2019-8660, and CVE-2019-8662) involved an attacker sending a message containing malicious code that would execute as soon as it was opened. One of these remains unpatched (CVE-2019-8641). Details on that exploit are being withheld until it is fixed.
