Apple has released iOS 12.1.4 update which brings a fix for the FaceTime bug that allowed the caller to peep into the receiver’s video and audio. The update also brings a fix for two zero-days security threats that a top Google security engineer, Ben Hawkes, team leader at Google’s Project Zero security team revealed.
CVE-2019-7286 and CVE-2019-7287 in the iOS advisory today (https://t.co/ZsIy8nxLvU) were exploited in the wild as 0day.
— Ben Hawkes (@benhawkes) February 7, 2019
The two vulnerabilities were fixed with the iOS 12.1.4 update that was released earlier today. Hawkes says both vulnerabilities were exploited in the wild as zero-day. The two vulnerabilities carry identifiers of CVE-2019-7286 and CVE-2019-7287. The iOS 12.1.4 security change log says that CVE-2019-7286 relates to the iOS Foundation framework, allowing an attacker to use a memory corruption and gain “elevated privileges.”
The CVE-2019-7287 centers around I/O Kit, allowing an attacker to “execute arbitrary code with kernel privileges” due to a memory corruption issue. Apple’s security log credits “an anonymous researcher, Clement Lecigne of Google Threat Analysis Group, Ian Beer of Google Project Zero, and Samuel Groß of Google Project Zero” for both of the findings. iPhone users are advised to update to the iOS 12.1.4 update as soon as possible as this also fixes the infamous FaceTime bug.