Google Finds Two Zero-Day Vulnerabilities in iOS

Google Finds Two Zero-Day Vulnerabilities in iOS

Android usually gets more attention for mobile malware than iOS as Google’s platform supports third-party app stores. Apple’s walled garden approach is seen as a strength when it comes to security, but the latest iOS update has reportedly patched two serious vulnerabilities identified by Google researchers. Your iPhone is safe if it’s updated today, but Google says the exploits were active in the wild.

Threats that are already active online prior to patches are called “zero-day” vulnerabilities. Tracking down these glitches is the mission of Google’s Project Zero team. The iOS platform is not open source, so Apple can fix many security holes internally without ever publicizing them. However, Project Zero reported CVE-2019-7286 and CVE-2019-7287 to Apple after seeing rogue apps using them against users. The scale of the attacks is not known, but Apple’s iOS 12.1.4 changelog confirms they are now patched.

Google’s Ben Hawkes publicized the bugs on Twitter, pointing out they were already out there. Since Apple didn’t know about the vulnerabilities prior to Google’s report, it would not have known to scan new apps for attempts to exploit them. It’s unlikely we’ll get more details on the attacks like how many malicious apps made it into the App Store. However, Apple has likely removed anything targeting CVE-2019-7286 and CVE-2019-7287 by now.

CVE-2019-7286 impacts the iOS Foundation Framework, a core component of the operating system. Apps can use this flaw targeting a memory corruption in the framework to gain elevated privileges. Thus, an app could access user data that it shouldn’t have.

CVE-2019-7286 and CVE-2019-7287 in the iOS advisory today (https://t.co/ZsIy8nxLvU) were exploited in the wild as 0day.

— Ben Hawkes (@benhawkes) February 7, 2019

The other zero-day, CVE-2019-72867 goes after the I/O Kit module. Again, this is a core part of iOS. I/O Kit handles data interfaces between the device’s hardware and software. Apps utilizing this vulnerability can use a memory corruption to run arbitrary code with kernel privileges. An attacker could use this bug to do anything on your phone that you would be able to do.

iOS 12.1.4 is available to all iDevices from the iPhone 5s, 6th gen iPod Touch, iPad Air onward. This update also fixes that nasty FaceTime bug that let people eavesdrop on you before you answered calls. If that wasn’t enough to get you to update, maybe two new zero-day vulnerabilities will.

Continue reading

Astronomers Might Finally Know the Source of Fast Radio Bursts
Astronomers Might Finally Know the Source of Fast Radio Bursts

A trio of new studies report on an FRB within our own galaxy. Because this one was so much closer than past signals, scientists were able to track it to a particular type of neutron star known as a magnetar.

Scientists Find Planet Where It Rains Molten Rock
Scientists Find Planet Where It Rains Molten Rock

The ground is rock, the seas are rock, and yes, even the air is rock.

Apple’s M1 Continues to Impress in Cinebench R23, Affinity Photo
Apple’s M1 Continues to Impress in Cinebench R23, Affinity Photo

New Cinebench R23 benchmarks paint AMD in a more competitive light against the M1, but Apple's SoC still acquits itself impressively. The Affinity Photo benchmark, however, is a major M1 win.

Nvidia: RTX 3000 GPUs Will Remain Hard to Find Into 2021
Nvidia: RTX 3000 GPUs Will Remain Hard to Find Into 2021

There's no hope for a near-term improvement in RTX 3000 GPU availability. Shortages will likely continue through the end of this year and into the beginning of 2021.