A pair of now-resolved iOS security flaws were successfully exploited by attackers to hack Apple devices “in the wild,” according to a new report.
The attacks apparently came before Apple was able to patch the flaws in the latest iOS 12.1.4 update, meaning that they were exploited as “zero-day” vulnerabilities.
Ben Hawkes, the team leader at Google’s elite Project Zero cybersecurity team, revealed the attacks in a tweet on Feb. 7 (shown below).
How the vulnerabilities were exploited or who was behind the attacks are currently unknown.
It also isn’t clear whether or not the flaws were leveraged in routine cybercrimes or as part of a more widespread and targeted campaign.
iOS 12.1.4, which was released this week, contains a fix for the widely publicized FaceTime spying bug. But according to Apple’s security updates page, iOS 12.1.4 also patched other known issues — including the two vulnerabilities mentioned by Hawkes.
According to Apple, the two security vulnerabilities took advantage of Foundation and I/OKit memory corruption issues in past versions of iOS. The flaws were logged as CVE-2019-7286 and CVE-2019-7287.
The first of the two reportedly allowed a malicious app to gain elevated privileges on iOS devices, while the second vulnerability may have allowed an app to execute code with kernel privileges.
Apple said both vulnerabilities affected the following devices: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later.
The company also credited several people with finding the flaws, including an anonymous security researcher, Google Threat Analysis Group’s Clement Lecigne, and Google Project Zero’s Ian Beer and Samuel Groß.
iOS 12.1.4 also contains a fix for a Live Photos in FaceTime bug that was discovered after Apple carried out a “thorough security audit” of the feature — presumably in the wake of the Group FaceTime bug. While the Live Photos bug has been patched, no other details about the vulnerability have been shared.
Because the vulnerabilities have already been used against iPhones in the wild, it’s highly recommended that iOS users update to iOS 12.1.4 as soon as possible. iOS users who want to use the Group FaceTime feature will also need to update before doing so.