Google researcher says iOS 12.1.4 fixes two zero-day vulnerabilities that ‘were exploited in the wild’ – 9to5Mac

5
76
Google researcher says iOS 12.1.4 fixes two zero-day vulnerabilities that ‘were exploited in the wild’ – 9to5Mac

Following the release of iOS 12.1.4 this afternoon, a top Google security engineer revealed two zero-day security threats. Ben Hawkes, team leader at Google’s Project Zero security team, revealed the existence of the vulnerabilities on Twitter this afternoon.

Sylvania HomeKit Light Strip

As explained by ZDNet, the two vulnerabilities were fixed as part of iOS 12.1.4’s release today. However, Hawkes says both vulnerabilities were exploited in the wild as zero-day. The two carry the identifiers of CVE-2019-7286 and CVE-2019-7287.

Apple’s iOS 12.1.4 security change log says that CVE-2019-7286 relates to the iOS Foundation framework, allowing an attacker to use a memory corruption and gain “elevated privileges.” Meanwhile, CVE-2019-7287 centers around I/O Kit, allowing an attacker to “execute arbitrary code with kernel privileges” due to a memory corruption issue.

Apple’s security log credits “an anonymous researcher, Clement Lecigne of Google Threat Analysis Group, Ian Beer of Google Project Zero, and Samuel Groß of Google Project Zero” for both of the findings.

Foundation

  • Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  • Impact: An application may be able to gain elevated privileges
  • Description: A memory corruption issue was addressed with improved input validation.

IOKit

  • Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  • Impact: An application may be able to execute arbitrary code with kernel privileges
  • Description: A memory corruption issue was addressed with improved input validation.

As is usually the case with these sort of zero-day vulnerabilities, details are sparse as to prevent further attention being drawn to the specifics. Hawkes simply says that the security holes “were exploited in the wild as 0day.” It’s unlikely that we’ll learn any additional details beyond the above descriptions.

Ultimately what this means is that if Group FaceTime access wasn’t enough to convince you to upgrade to iOS 12.1.4, these two vulnerabilities should do the trick.

CVE-2019-7286 and CVE-2019-7287 in the iOS advisory today (https://t.co/ZsIy8nxLvU) were exploited in the wild as 0day.

— Ben Hawkes (@benhawkes) February 7, 2019

About the Author

Chance Miller’s favorite gear

5 COMMENTS

  1. … [Trackback]

    […] Information to that Topic: worldnewsnetwork.co.in/google-researcher-says-ios-12-1-4-fixes-two-zero-day-vulnerabilities-that-were-exploited-in-the-wild-9to5mac/ […]

  2. … [Trackback]

    […] Read More here on that Topic: worldnewsnetwork.co.in/google-researcher-says-ios-12-1-4-fixes-two-zero-day-vulnerabilities-that-were-exploited-in-the-wild-9to5mac/ […]

  3. … [Trackback]

    […] Read More to that Topic: worldnewsnetwork.co.in/google-researcher-says-ios-12-1-4-fixes-two-zero-day-vulnerabilities-that-were-exploited-in-the-wild-9to5mac/ […]

  4. Wow that was strange. I just wrote an incredibly long comment but after I clicked submit my comment didn’t appear. Grrrr… well I’m not writing all that over again. Anyway, just wanted to say excellent blog!

  5. … [Trackback]

    […] Here you can find 7842 more Information to that Topic: worldnewsnetwork.co.in/google-researcher-says-ios-12-1-4-fixes-two-zero-day-vulnerabilities-that-were-exploited-in-the-wild-9to5mac/ […]

LEAVE A REPLY

Please enter your comment!
Please enter your name here