Two zero-day vulnerabilities in iOS, exploited in attacks on iPhone and iPad. This was announced by the head of Google Project Zero team Ben Hawkes (Ben Hawkes) in his Twitter posts. At the moment it is unclear whether they used a vulnerability in ordinary cybercriminal operations or were involved in targeting campaigns for cyber espionage.
We are talking about the problems CVE-2019-7286 and CVE-2019-7287 (both represent a vulnerability memory corruption). The first is contained in one of the key components of the operating system iOS — framework Foundation. With its help, the attacker can elevate privileges on the system.
The second vulnerability affects the framework I/O Kit that handles the transfer of input and output data between software and hardware. This vulnerability allows to execute arbitrary code with the privileges of the kernel.
Both problems have been fixed in the iOS version 12.1.4. In addition, this release resolves the sensational vulnerability in FaceTime, allows you to spy on any iPhone and iPad. Users are advised to upgrade to a newer OS version as soon as possible.
Read more •••