A top Google security researcher says two of the security holes that Apple patched in yesterday’s iOS 12.1.4 update had been successfully exploited by hackers before Apple became aware of them.
Ben Hawkes, team leader at Google’s Project Zero security research group, revealed in a tweet that vulnerabilities identified as CVE-2019-7286 and CVE-2019-7287 in Apple’s iOS 12.1.4 security change log had been exploited in the wild as “zero day”.
A zero-day vulnerability refers to a security hole in software that is unknown to the software developer and the public, although it may already be known by attackers who are quietly exploiting it.
CVE-2019-7286 and CVE-2019-7287 in the iOS advisory today (https://t.co/ZsIy8nxLvU) were exploited in the wild as 0day.
— Ben Hawkes (@benhawkes) February 7, 2019
Apple gave credit to “an anonymous researcher, Clement Lecigne of Google Threat Analysis Group, Ian Beer of Google Project Zero, and Samuel Groß of Google Project Zero”
The first exploit used the iOS Foundation component and a memory corruption issue that could allow a malicious app to gain “elevated privileges” on an iPhone 5s and later, iPad Air and later, or iPod touch 6th generation. The second security hole provided kernel privileges and affected those same devices. ZDNet notes that it isn’t currently known how the vulnerabilities were used by bad guys.
Apple released the iOS 12.1.4 update on Thursday, and was developed to fix a Invasive Group FaceTime bug that allowed a FaceTime caller to eavesdrop on the conversations of a Group FaceTime call recipient, even if the recipient didn’t accept the call.