Researchers at Google have shared details of what may be one of the largest attacks against iPhone owners that we’re aware of. Ian Beer of Google’s Project Zero has provided information about the 0-day exploit that allowed a number of websites to deploy malware onto iPhones.

What’s most interesting about this is that there was no particular group of people who were targeted. In fact, Beer says that anyone who happened to come across the hacked websites would find themselves with compromised devices.

There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week.

Beer went on to say that there were a total of 14 vulnerabilities found across five distinct exploit chains thanks to the help of Google’s Threat Analysis Group (TAG). At least one of those was a 0-day exploit that allowed the attackers to gain elevated privileges on impacted iPhones. This also affected devices with the most recent version of iOS installed at the time – all versions of iOS 12 were impacted – although a subsequent update has plugged the hole.

Working with TAG, we discovered exploits for a total of fourteen vulnerabilities across the five exploit chains: seven for the iPhone’s web browser, five for the kernel and two separate sandbox escapes. Initial analysis indicated that at least one of the privilege escalation chains was still 0-day and unpatched at the time of discovery (CVE-2019-7287 & CVE-2019-7286). We reported these issues to Apple with a 7-day deadline on 1 Feb 2019, which resulted in the out-of-band release of iOS 12.1.4 on 7 Feb 2019. We also shared the complete details with Apple, which were disclosed publicly on 7 Feb 2019.

There’s a very detailed blog post outlining exactly what the exploit chains were over on the Project Zero blog. It’s dry reading, but well worth it if you’re at all interested in how these things work.

The important thing to remember here is that Apple has fixed the issue so it is not live currently. At least, so long as you’re using iOS 12.4.1 or later of course.

You may also like to check out:

You can follow us on Twitter, or Instagram, and even like our Facebook page to keep yourself updated on all the latest from Microsoft, Google, Apple, and the Web.

Related Stories