Android usually gets more attention for mobile malware than iOS as Google’s platform supports third-party app stores. Apple’s walled garden approach is seen as a strength when it comes to security, but the latest iOS update has reportedly patched two serious vulnerabilities identified by Google researchers. Your iPhone is safe if it’s updated today, but Google says the exploits were active in the wild.
Threats that are already active online prior to patches are called “zero-day” vulnerabilities. Tracking down these glitches is the mission of Google’s Project Zero team. The iOS platform is not open source, so Apple can fix many security holes internally without ever publicizing them. However, Project Zero reported CVE-2019-7286 and CVE-2019-7287 to Apple after seeing rogue apps using them against users. The scale of the attacks is not known, but Apple’s iOS 12.1.4 changelog confirms they are now patched.
Google’s Ben Hawkes publicized the bugs on Twitter, pointing out they were already out there. Since Apple didn’t know about the vulnerabilities prior to Google’s report, it would not have known to scan new apps for attempts to exploit them. It’s unlikely we’ll get more details on the attacks like how many malicious apps made it into the App Store. However, Apple has likely removed anything targeting CVE-2019-7286 and CVE-2019-7287 by now.
CVE-2019-7286 impacts the iOS Foundation Framework, a core component of the operating system. Apps can use this flaw targeting a memory corruption in the framework to gain elevated privileges. Thus, an app could access user data that it shouldn’t have.
CVE-2019-7286 and CVE-2019-7287 in the iOS advisory today (https://t.co/ZsIy8nxLvU) were exploited in the wild as 0day.
— Ben Hawkes (@benhawkes) February 7, 2019
The other zero-day, CVE-2019-72867 goes after the I/O Kit module. Again, this is a core part of iOS. I/O Kit handles data interfaces between the device’s hardware and software. Apps utilizing this vulnerability can use a memory corruption to run arbitrary code with kernel privileges. An attacker could use this bug to do anything on your phone that you would be able to do.
iOS 12.1.4 is available to all iDevices from the iPhone 5s, 6th gen iPod Touch, iPad Air onward. This update also fixes that nasty FaceTime bug that let people eavesdrop on you before you answered calls. If that wasn’t enough to get you to update, maybe two new zero-day vulnerabilities will.