Two iOS 12.1.4 Bug Fixes Already ‘Exploited In The Wild’ As Zero-Days Says Google
Apple recently released iOS 12.1.4 to allow people to use Group FaceTime once more. That absolutely had the desired effect and Group FaceTime is now available to anyone running that update, but that doesn’t mean that there aren’t problems afoot for those who don’t update.
According to Google Researcher Ben Hawkes, team leader at Google’s Project Zero security research team, there are two zero-day vulnerabilities in this new release.
According to a report by ZDNet, the two vulnerabilities were both fixed in the iOS 12.1.4 release, but Hawke says that both of them have been exploited already. Both vulnerabilities appear in the iOS 12.1.3 security log, under references CVE-2019-7286 and CVE-2019-7287.
The first of those appears to be something related to iOS Foundation, with an attacker able to use memory corruption in order to gain what’s known as “elevated privileged,” The second of the two is related to I/O Kit, with an attacker apparently able to run their own code with kernel privileges if left unabated.
With Apple acknowledging both of the issues, it also thanks a few people for their discovery including “an anonymous researcher, Clement Lecigne of Google Threat Analysis Group, Ian Beer of Google Project Zero, and Samuel Groß of Google Project Zero.”
It’s normal for details for such things to be sketchy so as to avoid anyone taking further advantage of them, and with plenty of users having not updated to iOS 12.1.4 that’s a good thing. Hawkes has simply said that the vulnerabilities were “exploited in the wild as 0day.” That’s probably as bad as it sounds, so if you haven’t already updated, we’d suggest you do that now.