A Google security researcher on Thursday revealed that hackers have been spotted attempting to exploit two iOS vulnerabilities. Apple has patched the said vulnerabilities in iOS 12.1.4 update that was released late-yesterday, but the attacks are reportedly carried out before Apple had a chance to release the fixes. Such attacks are called zero-day exploits. It is unclear whether the attackers were successful in managing to breach the iOS devices or what were their intentions. The two iOS vulnerabilities in question carry CVE-2019-7286 and CVE-2019-7287 identifiers.
The news of the iOS zero-day exploits was revealed by Ben Hawkes, who leads Google’s Project Zero team, on Twitter. He did not share any specifics though.
“CVE-2019-7286 and CVE-2019-7287 in the iOS advisory today (link) were exploited in the wild as 0day,” Hawkes wrote.
As per the Apple’s advisory on iOS 12.1.4 update, both CVE-2019-7286 and CVE-2019-7287 bugs are related to memory corruption issues and were reported to the iPhone maker by Clement Lecigne of Google Threat Analysis Group, Ian Beer of Google Project Zero, Samuel Groß of Google Project Zero, and an anonymous researcher. The CVE-2019-7286 bug allowed an application to gain elevated privileges in the operating system, whereas the CVE-2019-7287 let the apps execute arbitrary code with kernel privileges. Apple was able to patch both vulnerabilities by improving the input validation.
It is unlikely that we will ever know how these vulnerabilities by exploited by the hackers or who exploited them.
In addition to the two zero-day exploits, the iOS 12.1.4 update also includes a fix for the infamous Group Facetime bug that allows anyone to eavesdrop on the other persons in the call even though they had not answered the call. The update also included a fix for a bug related to Live Photos in FaceTime.