iOS 12.1.4 Patches 2 Zero-Day Vulnerabilities That ‘Were Exploited in the Wild’: Google Project Zero

By Gaurav Shukla | Updated: 8 February 2019 12:12 IST

Highlights

The CVE-2019-7286 bug allows an app to gain elevated privileges
The iOS 12.1.4 update also patches the Group FaceTime bug
The update is now available for download for all iOS users

iOS 12.1.4 Patches 2 Zero-Day Vulnerabilities That ‘Were Exploited in the Wild’: Google Project Zero

The CVE-2019-7286 and CVE-2019-7287 bugs are related to memory corruption issues

A Google security researcher on Thursday revealed that hackers have been spotted attempting to exploit two iOS vulnerabilities. Apple has patched the said vulnerabilities in iOS 12.1.4 update that was released late-yesterday, but the attacks are reportedly carried out before Apple had a chance to release the fixes. Such attacks are called zero-day exploits. It is unclear whether the attackers were successful in managing to breach the iOS devices or what were their intentions. The two iOS vulnerabilities in question carry CVE-2019-7286 and CVE-2019-7287 identifiers.

The news of the iOS zero-day exploits was revealed by Ben Hawkes, who leads Google's Project Zero team, on Twitter. He did not share any specifics though.

“CVE-2019-7286 and CVE-2019-7287 in the iOS advisory today (link) were exploited in the wild as 0day,” Hawkes wrote.

As per the Apple's advisory on iOS 12.1.4 update, both CVE-2019-7286 and CVE-2019-7287 bugs are related to memory corruption issues and were reported to the iPhone maker by Clement Lecigne of Google Threat Analysis Group, Ian Beer of Google Project Zero, Samuel Groß of Google Project Zero, and an anonymous researcher. The CVE-2019-7286 bug allowed an application to gain elevated privileges in the operating system, whereas the CVE-2019-7287 let the apps execute arbitrary code with kernel privileges. Apple was able to patch both vulnerabilities by improving the input validation.

It is unlikely that we will ever know how these vulnerabilities by exploited by the hackers or who exploited them.

In addition to the two zero-day exploits, the iOS 12.1.4 update also includes a fix for the infamous Group Facetime bug that allows anyone to eavesdrop on the other persons in the call even though they had not answered the call. The update also included a fix for a bug related to Live Photos in FaceTime.

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.