Google Finds Two Zero-Day Vulnerabilities in iOS

Google Finds Two Zero-Day Vulnerabilities in iOS

Android usually gets more attention for mobile malware than iOS as Google’s platform supports third-party app stores. Apple’s walled garden approach is seen as a strength when it comes to security, but the latest iOS update has reportedly patched two serious vulnerabilities identified by Google researchers. Your iPhone is safe if it’s updated today, but Google says the exploits were active in the wild.

Threats that are already active online prior to patches are called “zero-day” vulnerabilities. Tracking down these glitches is the mission of Google’s Project Zero team. The iOS platform is not open source, so Apple can fix many security holes internally without ever publicizing them. However, Project Zero reported CVE-2019-7286 and CVE-2019-7287 to Apple after seeing rogue apps using them against users. The scale of the attacks is not known, but Apple’s iOS 12.1.4 changelog confirms they are now patched.

Google’s Ben Hawkes publicized the bugs on Twitter, pointing out they were already out there. Since Apple didn’t know about the vulnerabilities prior to Google’s report, it would not have known to scan new apps for attempts to exploit them. It’s unlikely we’ll get more details on the attacks like how many malicious apps made it into the App Store. However, Apple has likely removed anything targeting CVE-2019-7286 and CVE-2019-7287 by now.

CVE-2019-7286 impacts the iOS Foundation Framework, a core component of the operating system. Apps can use this flaw targeting a memory corruption in the framework to gain elevated privileges. Thus, an app could access user data that it shouldn’t have.

CVE-2019-7286 and CVE-2019-7287 in the iOS advisory today (https://t.co/ZsIy8nxLvU) were exploited in the wild as 0day.

— Ben Hawkes (@benhawkes) February 7, 2019

The other zero-day, CVE-2019-72867 goes after the I/O Kit module. Again, this is a core part of iOS. I/O Kit handles data interfaces between the device’s hardware and software. Apps utilizing this vulnerability can use a memory corruption to run arbitrary code with kernel privileges. An attacker could use this bug to do anything on your phone that you would be able to do.

iOS 12.1.4 is available to all iDevices from the iPhone 5s, 6th gen iPod Touch, iPad Air onward. This update also fixes that nasty FaceTime bug that let people eavesdrop on you before you answered calls. If that wasn’t enough to get you to update, maybe two new zero-day vulnerabilities will.

Continue reading

Time to Update: Google Patches 2 Severe Zero-Day Chrome Vulnerabilities
Time to Update: Google Patches 2 Severe Zero-Day Chrome Vulnerabilities

Unlike the last few zero-days, Google didn't find these security holes itself. Instead, it was tipped by anonymous third-parties, and the problems are severe enough that it hasn't released full details. Suffice it to say, you should stop putting off that update.

Intel, Researchers Debate Whether New Spectre-Type Vulnerabilities Exist
Intel, Researchers Debate Whether New Spectre-Type Vulnerabilities Exist

Researchers are claiming to have found a new type of Spectre attack that bypasses all existing protections, but that framing isn't well supported.

Old Zero-Day Vulnerabilities Remain Unpatched on Samsung, Google Phones
Old Zero-Day Vulnerabilities Remain Unpatched on Samsung, Google Phones

A recent batch of serious flaws in Arm's Mali GPU was reported by Project Zero and fixed by the manufacturer. However, smartphone vendors never implemented the patches, among them Google itself.

New Report Finds Pentagon Weapon Systems Riddled With Vulnerabilities
New Report Finds Pentagon Weapon Systems Riddled With Vulnerabilities

The report starts by noting that for decades, the DoD "did not prioritize" matters of weapon security and is still figuring out how to better address these threats. Then the report gets worse.