Project Zero researchers Natalie Silvanovich and Samuel Gros describe the
vulnerabilities as 'interactionless.' In other words, no action on the user's part is needed to exploit the device. For at least four of them, however, the user must open a malicious message.
The iMessage client was the source of the weaknesses. Four of them (CVE-2019-8647, CVE-2019-8660, and CVE-2019-8662) involved an attacker sending a message containing malicious code that would execute as soon as it was opened. One of these remains unpatched (CVE-2019-8641). Details on that exploit are being withheld until it is fixed.
The other two flaws (CVE-2019-8624 and CVE-2019-8646) allow an attacker to cause a memory leak and steal data using a remote device. These bugs also did not require action from the user.
Silvanovich will be appearing at the Black Hat security conference next week to present her research on remote interactionless iPhone vulnerabilities.
Zero-day exploits that require little or no interaction by the user sell for big money on the black market. ZDNet estimates that this small batch of vulnerabilities could have sold for between $5 million and $24 million due to their ability to exploit the device undetected.
Users are urged to update to iOS 12.4 if they haven't already.