Google Researchers Say Hackers Exploited Two Zero-Day Vulnerabilities Patched in Apple's iOS 12.1.4 Update

Two vulnerabilities that Apple patched in its latest iOS 12.1.4 update were successfully exploited by hackers before they were known to Apple, according to a top Google security engineer.

Ben Hawkes, team leader at Google's Project Zero security research group, revealed in a tweet that vulnerabilities identified as CVE-2019-7286 and CVE-2019-7287 in Apple's iOS 12.1.4 security change log had been exploited in the wild as "zero day".

A zero-day vulnerability refers to a security hole in software that is unknown to the software developer and the public, although it may already be known by attackers who are quietly exploiting it.

As ZDNet notes, it's unclear under what circumstances the vulnerabilities were used, but one exploit involved the iOS Foundation component and a memory corruption issue that could allow an app to gain "elevated privileges" on an iPhone 5s and later, iPad Air and later, or iPod touch 6th generation. The second vulnerability potentially allowed for kernel privileges and affected the same devices.



Apple credited "an anonymous researcher, Clement Lecigne of Google Threat Analysis Group, Ian Beer of Google Project Zero, and Samuel Groß of Google Project Zero" for discovering both vulnerabilities.

Apple's iOS 12.1.4 update for the iPhone, iPad, and iPod touch, was principally designed to fix an insidious privacy-invading Group FaceTime bug discovered by a high school student that could be exploited to eavesdrop on conversations.




Top Rated Comments

(View all)
Avatar
1 week ago

Wonder if this means the exploits are related to FaceTime again. Hopefully Apple fixes it ASAP.

Not related to FaceTime. Both were patched yesterday along with the FaceTime Bug. They were mentioned in yesterday's article. Just weren't credited or detailed. This article is just a follow up.
Rating: 14 Votes
Avatar
1 week ago
Apple’s security changelogs are like 50+% reported by project zero these days, kind of makes them look bad. Also makes you wonder how many unpatched vulnerabilities there are.
Rating: 13 Votes
Avatar
1 week ago
.

My problem is Google is focused on finding flaws in Apple products but major flaws in their own products go unnoticed and are found by outside groups and remain unpatched. In some cases Google has just stopped supporting the devices instead of fixing it.

Project Zero isn't focused on finding flaws in Apple products. That's just flat out lying.
Rating: 7 Votes
Avatar
1 week ago

Apple’s security changelogs are like 50+% reported by project zero these days, kind of makes them look bad. Also makes you wonder how many unpatched vulnerabilities there are.

I don't think Apple looks bad at all. Project Zero is just good at what they do. I'm glad they are. As long as the exploits are found and fixed, generally speaking, I don't think anyone cares who found them. Apple would only look bad if they got news of an exploit, let it hit the 90 day window without action, and PZ disclosed. 'Til that happens...
Rating: 7 Votes
Avatar
1 week ago
Every hole in their OS's that Apple closes is a victory. It'd be better if these weren't being used as zero day's, but that is not the way real life in computer or smartphone OS's work (the bad guys are always finding some exploits to use / sell) - so good that Apple closed these as well. Keep it up Apple.
Rating: 4 Votes
Avatar
1 week ago
Yikes! I better update my iPhone 4S and iPhone 5 to the latest patch.
Rating: 1 Votes
Avatar
1 week ago
I’m more interested in the vulnerability the saudis exploited where all they had to do was send a text to p0wn the iPhone of dissidents, a text you didn’t need to open, one without an attachment or bad link. I’ve heard very little about that other than the day it was revealed to have happened.
Rating: 1 Votes
Avatar
1 week ago

It says "iPhone 5s AND LATER".

Someone needs to reboot their sarcasm detector.
Rating: 1 Votes
Avatar
1 week ago
Contrary to popular believe, iOS is obviously more bug ridden than Android due to its closed proprietary nature.

Even 14 years old kid can discover one major zero day bug is a telltale sign.
Rating: 1 Votes
Avatar
1 week ago

Yikes! I better update my iPhone 4S and iPhone 5 to the latest patch.

It says "iPhone 5s AND LATER".
Rating: 1 Votes
[ Read All Comments ]