Apple fixed two zero-day exploits in addition to FaceTime bug with iOS 12.1.4 update
Apple faced a great deal of public criticism for missing a scary privacy-invading FaceTime bug that a 14-year-old actually discovered before the company’s cybersecurity experts, but interestingly enough, the other three vulnerabilities fixed with the latest iOS update made far fewer headlines.
While you may think that’s due to a lower severity level for issues relating to the Live Photos feature in FaceTime, the iOS Foundation framework, and the I/O Kit framework, Twitter user Ben Hawkes claims two of these lesser-known vulnerabilities were in fact “exploited in the wild as 0day.”
Hawkes is not just some random guy making unsubstantiated accusations on social media, mind you, working for Google as Project Zero team lead. The seasoned white hat hacker is basically in charge of finding precisely these types of zero-day vulnerabilities in both Google-developed and third-party software.
In other words, he knows exactly what he’s talking about, and if he says exploits were out in the wild, that definitely happened. What we don’t know just yet and we will probably never know is the nature of these “0day” attacks.
At the same time, Apple is as cryptic as always in “detailing” the issues fixed by iOS 12.1.4. The CVE-2019-7286 vulnerability is apparently a “memory corruption issue” that potentially allowed “an application to gain elevated privileges”, with a different “memory corruption issue” referenced as CVE-2019-7287 as it opened the door for “an application to execute arbitrary code with kernel privileges.”
Both bugs sound serious, but as there’s no way to know what damage they may have caused and for how long, we should probably just focus on the best method to avoid them right now. If you haven’t updated your iPhone yet to regain access to Group FaceTime, this is an even better reason to switch to iOS version 12.1.4 as soon as possible.
While you may think that’s due to a lower severity level for issues relating to the Live Photos feature in FaceTime, the iOS Foundation framework, and the I/O Kit framework, Twitter user Ben Hawkes claims two of these lesser-known vulnerabilities were in fact “exploited in the wild as 0day.”
In other words, he knows exactly what he’s talking about, and if he says exploits were out in the wild, that definitely happened. What we don’t know just yet and we will probably never know is the nature of these “0day” attacks.
By the way, that term is extremely generic, describing any sort of software vulnerability that is unknown to said software’s developers for any period of time while hackers take advantage of a security flaw.
At the same time, Apple is as cryptic as always in “detailing” the issues fixed by iOS 12.1.4. The CVE-2019-7286 vulnerability is apparently a “memory corruption issue” that potentially allowed “an application to gain elevated privileges”, with a different “memory corruption issue” referenced as CVE-2019-7287 as it opened the door for “an application to execute arbitrary code with kernel privileges.”
Things that are NOT allowed: