Google Researchers Say Hackers Exploited Two Zero-Day Vulnerabilities Patched in Apple's iOS 12.1.4 Update

[MacRumors]

Two vulnerabilities that Apple patched in its latest iOS 12.1.4 update were successfully exploited by hackers before they were known to Apple, according to a top Google security engineer.

Ben Hawkes, team leader at Google's Project Zero security research group, revealed in a tweet that vulnerabilities identified as CVE-2019-7286 and CVE-2019-7287 in Apple's iOS 12.1.4 security change log had been exploited in the wild as "zero day".

A zero-day vulnerability refers to a security hole in software that is unknown to the software developer and the public, although it may already be known by attackers who are quietly exploiting it.

As ZDNet notes, it's unclear under what circumstances the vulnerabilities were used, but one exploit involved the iOS Foundation component and a memory corruption issue that could allow an app to gain "elevated privileges" on an iPhone 5s and later, iPad Air and later, or iPod touch 6th generation. The second vulnerability potentially allowed for kernel privileges and affected the same devices.

CVE-2019-7286 and CVE-2019-7287 in the iOS advisory today (https://t.co/ZsIy8nxLvU) were exploited in the wild as 0day. - Ben Hawkes (@benhawkes) February 7, 2019

Apple credited "an anonymous researcher, Clement Lecigne of Google Threat Analysis Group, Ian Beer of Google Project Zero, and Samuel Groß of Google Project Zero" for discovering both vulnerabilities.

Apple's iOS 12.1.4 update for the iPhone, iPad, and iPod touch, was principally designed to fix an insidious privacy-invading Group FaceTime bug discovered by a high school student that could be exploited to eavesdrop on conversations.


Article Link: Google Researchers Say Hackers Exploited Two Zero-Day Vulnerabilities Patched in Apple's iOS 12.1.4 Update

 

[xxray]

Wonder if this means the exploits are related to FaceTime again. Hopefully Apple fixes it ASAP.

 

[69Mustang]

Wonder if this means the exploits are related to FaceTime again. Hopefully Apple fixes it ASAP.

Not related to FaceTime. Both were patched yesterday along with the FaceTime Bug. They were mentioned in yesterday's article. Just weren't credited or detailed. This article is just a follow up.

 

[ersan191]

Apple’s security changelogs are like 50+% reported by project zero these days, kind of makes them look bad. Also makes you wonder how many unpatched vulnerabilities there are.

 

[Sasparilla]

Every hole in their OS's that Apple closes is a victory. It'd be better if these weren't being used as zero day's, but that is not the way real life in computer or smartphone OS's work (the bad guys are always finding some exploits to use / sell) - so good that Apple closed these as well. Keep it up Apple.

 

[69Mustang]

Apple’s security changelogs are like 50+% reported by project zero these days, kind of makes them look bad. Also makes you wonder how many unpatched vulnerabilities there are.

I don't think Apple looks bad at all. Project Zero is just good at what they do. I'm glad they are. As long as the exploits are found and fixed, generally speaking, I don't think anyone cares who found them. Apple would only look bad if they got news of an exploit, let it hit the 90 day window without action, and PZ disclosed. 'Til that happens...

 

[H3LL5P4WN]

These jerks really need to start turning their bugs in to either Apple or Saurik instead of el Goog.

 

[genovelle]

Apple’s security changelogs are like 50+% reported by project zero these days, kind of makes them look bad. Also makes you wonder how many unpatched vulnerabilities there are.

My problem is Google is focused on finding flaws in Apple products but major flaws in their own products go unnoticed and are found by outside groups and remain unpatched. In some cases Google has just stopped supporting the devices instead of fixing it.

 

[JosephAW]

Yikes! I better update my iPhone 4S and iPhone 5 to the latest patch.

 

[69Mustang]

.

My problem is Google is focused on finding flaws in Apple products but major flaws in their own products go unnoticed and are found by outside groups and remain unpatched. In some cases Google has just stopped supporting the devices instead of fixing it.

Project Zero isn't focused on finding flaws in Apple products. That's just flat out lying.

 

[rjohnstone]

These jerks really need to start turning their bugs in to either Apple or Saurik instead of el Goog.

Project Zero is run by Google, so...

 

[H3LL5P4WN]

Project Zero is run by Google, so...

While I still stand by my statement, I think I misread the article as PZ picked up the vulns from elsewhere, not found them themselves.

 

[genovelle]

.

Project Zero isn't focused on finding flaws in Apple products. That's just flat out lying.

I could not point out the flaw of your statement if it were not my focus at this point. If this was not a focus of this program then they would not be searching around there. The issue is they have massive holes in their own platform that others are finding and they take their sweet time fixing, if at all.

Please provide me with the list of project zero exploits found in android and chrome that they made public in an article or even acknowledged. It sounds good, but not really

 

[Krizoitz]

So he claims they were exploited yet provides zero evidence or information. Well I’m convinced.

 

[webbuzz]

Google, you say?

 

[Luke MacWalker]

If they know these vulnerabilities have been successfully exploited, would they care to tell us which apps were used for that? And any other information that could be interesting like… when did it start, an estimation of the number of people affected, what kind of information was targeted, was there any telltale sign (like app crashing). "it's unclear under what circumstances the vulnerabilities were used" is hardly useful in this regard.

 

[burgman]

When the update dropped there were comments about I don't use facetime so I'm not going to install it for awhile. Seems the correct answer is install it now.
[doublepost=1549644620][/doublepost]

If they know these vulnerabilities have been successfully exploited, would they care to tell us which apps were used for that? And any other information that could be interesting like… when did it start, an estimation of the number of people affected, what kind of information was targeted, was there any telltale sign (like app crashing). "it's unclear under what circumstances the vulnerabilities were used" is hardly useful in this regard.

This is a basically a PR article, all your answers are available at Google with some research.

 

[npmacuser5]

Apple, Microsoft, and others could fix their OS’s to be 99% hacker proof. We however would not like the user experience. Given what the customers wants and needs are, the systems become a compromise between use and security. The jailbreaking times a perfect example of a tightly controlled system and what users demand. Push Pull.

Three options:
Accept the balance Apple systems provide
Buy a secure device (they are out there)
Chuck it and go off grid

 

[farewelwilliams]

looks like they’re trying to drive attention away from the Android expoit where an attacker can send a malicious PNG file to any Android 7.0 - 9.0 to take over the system

 

[seanoo]

Wasn’t iOS 12 supposed to reflect Apple taking a lap, focusing on stability and performance over new features?

 

[ghostface147]

Apple’s security changelogs are like 50+% reported by project zero these days, kind of makes them look bad. Also makes you wonder how many unpatched vulnerabilities there are.

17.

 

[mrex]

looks like they’re trying to drive attention away from the Android expoit where an attacker can send a malicious PNG file to any Android 7.0 - 9.0 to take over the system

and google has batched it and notified android manufacturer months ago before releasing the information.

if you phone hasnt batched, dont blame google, call to your android phone manufacturer, so there is no needs for google to ”drive attention” from exploit. google has fixed it.

 

[69Mustang]

I could not point out the flaw of your statement if it were not my focus at this point. If this was not a focus of this program then they would not be searching around there. The issue is they have massive holes in their own platform that others are finding and they take their sweet time fixing, if at all.

Please provide me with the list of project zero exploits found in android and chrome that they made public in an article or even acknowledged. It sounds good, but not really

https://9to5google.com/2018/01/03/google-project-zero-cpu-security-flaw-patches-android-chrome/
https://www.zdnet.com/article/opening-this-image-file-grants-hackers-access-to-your-android-phone/
https://www.androidpolice.com/2018/09/12/google-android-usb-security-flaw/
https://searchsecurity.techtarget.com/answer/How-does-the-Android-Rowhammer-exploit-affect-users
https://www.infosecurity-magazine.com/opinions/hacking-video-conferencing/

The focus of Project Zero is to find zero day vulnerabilities. Regardless of OS. Info that readily accessible and easily found if your goal is anything but trying to throw dirt. You're pretty transparent in your willingness to ignore truth to push an agenda.

If you have any intellectual curiosity, there's a national database: https://nvd.nist.gov/general You can search cleared vulnerabilities. Amazingly, they weren't all reported by Google.

 

[luvbug]

Yikes! I better update my iPhone 4S and iPhone 5 to the latest patch.

It says "iPhone 5s AND LATER".

 

[ikramerica]

I’m more interested in the vulnerability the saudis exploited where all they had to do was send a text to p0wn the iPhone of dissidents, a text you didn’t need to open, one without an attachment or bad link. I’ve heard very little about that other than the day it was revealed to have happened.