Google warns about two iOS zero-days ‘exploited in the wild’
A Google top security engineer has revealed today that hackers have been launching attacks against iPhone users using two iOS vulnerabilities. The attacks have happened before Apple had a chance to release iOS 12.1.4 today –meaning the two vulnerabilities are what security experts call “zero-days.”
The revelation came in a tweet from Ben Hawkes, team leader at Project Zero –Google’s elite security team. Hawkes did not reveal under what circumstances the two zero-days have been used.
At the time of writing, it is unclear if the zero-days have been used for mundane cyber-crime operations or in more targeted cyber-espionage campaigns.
The two zero-days have the CVE identifiers of CVE-2019-7286 and CVE-2019-7287.
According to the Apple iOS 12.1.4 security changelog, CVE-2019-7286 impacts the iOS Foundation framework –one of the core components of the iOS operating system.
An attacker can exploit a memory corruption in the iOS Foundation component via a malicious app to gain elevated privileges.
The second zero-day, CVE-2019-72867, impacts I/O Kit, another iOS core framework that handles I/O data streams between the hardware and the software. ..Read More..