Android usually gets more attention for mobile malware than iOS as Google’s platform supports third-party app stores. Apple’s walled garden approach is seen as a strength when it comes to security, but the latest iOS update has reportedly patched two serious vulnerabilities identified by Google researchers. Your iPhone is safe if it’s updated today, but Google says the exploits were active in the wild.
Threats that are already active online prior to patches are called “zero-day” vulnerabilities. Tracking down these glitches is the mission of Google’s Project Zero team. The iOS platform is not open source, so Apple can fix many security holes internally without ever publicizing them. However, Project Zero reported CVE-2019-7286 and CVE-2019-7287 to Apple after seeing rogue apps using them against users. The scale of the attacks is not known, but Apple’s iOS 12.1.4 changelog confirms they are now patched.
Google’s Ben Hawkes publicized the bugs on Twitter, pointing out they were already out there. Since Apple didn’t know about the vulnerabilities prior to Google’s report, it would not have known to scan new apps for attempts to exploit them. It’s unlikely we’ll get more details on the attacks like how many malicious apps made it into the App Store. However, Apple has likely removed anything targeting CVE-2019-7286 and CVE-2019-7287 by now.
CVE-2019-7286 impacts the iOS Foundation Framework, a core component of the operating system. Apps can use this flaw targeting a memory corruption in the framework to gain elevated privileges. Thus, an app could access user data that it shouldn’t have.
CVE-2019-7286 and CVE-2019-7287 in the iOS advisory today (https://t.co/ZsIy8nxLvU) were exploited in the wild as 0day.
— Ben Hawkes (@benhawkes) February 7, 2019
The other zero-day, CVE-2019-72867 goes after the I/O Kit module. Again, this is a core part of iOS. I/O Kit handles data interfaces between the device’s hardware and software. Apps utilizing this vulnerability can use a memory corruption to run arbitrary code with kernel privileges. An attacker could use this bug to do anything on your phone that you would be able to do.
iOS 12.1.4 is available to all iDevices from the iPhone 5s, 6th gen iPod Touch, iPad Air onward. This update also fixes that nasty FaceTime bug that let people eavesdrop on you before you answered calls. If that wasn’t enough to get you to update, maybe two new zero-day vulnerabilities will.
Google Finds Zero-Day Vulnerability in Chrome, Urges Immediate Updates
If you haven't let Chrome update recently, take the time to do it now.
Mozilla Issues Emergency Zero-Day Firefox Patch
Mozilla advises all Firefox users to update to the latest version of the browser as soon as possible. The company has just become aware of a zero-day exploit affecting Firefox, meaning there are nefarious internet forces actively using it.
Firefox Zero-Day Used to Install Mac Malware
Mozilla issued an emergency Firefox patch earlier this week, citing a dangerous zero-day exploit. Because it believed hackers were exploiting the flaw in the wild, Mozilla declined to provide details on the nature of the problem. There are some additional details now, and they suggest the focus of the attack is on cryptocurrency exchange employees.
Cash Value of Android Zero-Day Exploits Surpasses iOS
Zerodium, the largest purchaser of security flaws, has updated its bug bounty payments. Android exploits now command a maximum of $2.5 million, but iOS tops out at $2 million.