Skip to main content

Google researcher says iOS 12.1.4 fixes two zero-day vulnerabilities that ‘were exploited in the wild’

Following the release of iOS 12.1.4 this afternoon, a top Google security engineer revealed two zero-day security threats. Ben Hawkes, team leader at Google’s Project Zero security team, revealed the existence of the vulnerabilities on Twitter this afternoon.

As explained by ZDNet, the two vulnerabilities were fixed as part of iOS 12.1.4’s release today. However, Hawkes says both vulnerabilities were exploited in the wild as zero-day. The two carry the identifiers of CVE-2019-7286 and CVE-2019-7287.

Apple’s iOS 12.1.4 security change log says that CVE-2019-7286 relates to the iOS Foundation framework, allowing an attacker to use a memory corruption and gain “elevated privileges.” Meanwhile, CVE-2019-7287 centers around I/O Kit, allowing an attacker to “execute arbitrary code with kernel privileges” due to a memory corruption issue.

Apple’s security log credits “an anonymous researcher, Clement Lecigne of Google Threat Analysis Group, Ian Beer of Google Project Zero, and Samuel Groß of Google Project Zero” for both of the findings.

Foundation

  • Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  • Impact: An application may be able to gain elevated privileges
  • Description: A memory corruption issue was addressed with improved input validation.

IOKit

  • Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
  • Impact: An application may be able to execute arbitrary code with kernel privileges
  • Description: A memory corruption issue was addressed with improved input validation.

As is usually the case with these sort of zero-day vulnerabilities, details are sparse as to prevent further attention being drawn to the specifics. Hawkes simply says that the security holes “were exploited in the wild as 0day.” It’s unlikely that we’ll learn any additional details beyond the above descriptions.

Ultimately what this means is that if Group FaceTime access wasn’t enough to convince you to upgrade to iOS 12.1.4, these two vulnerabilities should do the trick.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Chance Miller Chance Miller

Chance is the editor-in-chief of 9to5Mac, overseeing the entire site’s operations. He also hosts the 9to5Mac Daily and 9to5Mac Happy Hour podcasts.

You can send tips, questions, and typos to chance@9to5mac.com.

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications