One of the leading experts of Google security warns about using websites two 0-day vulnerabilities in iOS real attacks. The attack was recorded before Apple released iOS 12.1.4. IPhone users are recommended to install the patch released yesterday.
Security issue reported the head of the team in project Zero Ben Hawkes. The expert, however, did not specify what circumstances are required for the successful exploitation of these vulnerabilities.
Gaps received identifiers CVE-2019-7286 and CVE-2019-7287. About their operation in real attacks Hawkes said on Twitter:
“Mentioned in the release notes of the patch for iOS CVE-2019-7286 and CVE-2019-7287 used by hackers in the real attacks.”
At the moment it is unclear what use these two holes for attacks around the world without a specific goal, or for a coordinated cyberspying campaign.
Writes Apple CVE-2019-7286 affected framework Foundation — one of the key components of the iOS operating system. The second CVE-2019-72867 — affects I/O Kit. An attacker could use a malicious application to execute code with the privileges of the kernel.
At the moment, neither Google nor Apple has not commented on these security issues.
Read more •••