Following the release of iOS 12.1.4 this afternoon, a top Google security engineer revealed two zero-day security threats. Ben Hawkes, team leader at Google’s Project Zero security team, revealed the existence of the vulnerabilities on Twitter this afternoon.

Sylvania HomeKit Light Strip

As explained by ZDNet, the two vulnerabilities were fixed as part of iOS 12.1.4’s release today. However, Hawkes says both vulnerabilities were exploited in the wild as zero-day. The two carry the identifiers of CVE-2019-7286 and CVE-2019-7287.

Apple’s iOS 12.1.4 security change log says that CVE-2019-7286 relates to the iOS Foundation framework, allowing an attacker to use a memory corruption and gain “elevated privileges.” Meanwhile, CVE-2019-7287 centers around I/O Kit, allowing an attacker to “execute arbitrary code with kernel privileges” due to a memory corruption issue.

Apple’s security log credits “an anonymous researcher, Clement Lecigne of Google Threat Analysis Group, Ian Beer of Google Project Zero, and Samuel Groß of Google Project Zero” for both of the findings.

Foundation

  • Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  • Impact: An application may be able to gain elevated privileges
  • Description: A memory corruption issue was addressed with improved input validation.

IOKit

  • Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  • Impact: An application may be able to execute arbitrary code with kernel privileges
  • Description: A memory corruption issue was addressed with improved input validation.

As is usually the case with these sort of zero-day vulnerabilities, details are sparse as to prevent further attention being drawn to the specifics. Hawkes simply says that the security holes “were exploited in the wild as 0day.” It’s unlikely that we’ll learn any additional details beyond the above descriptions.

Ultimately what this means is that if Group FaceTime access wasn’t enough to convince you to upgrade to iOS 12.1.4, these two vulnerabilities should do the trick.

About the Author