Hackers successfully exploited two of the vulnerabilities that Apple patched in its latest iOS 12.1.4 update.
Ben Hawkes, team leader at Google’s Project Zero security research group, revealed in a tweet that vulnerabilities identified as CVE-2019-7286 and CVE-2019-7287 in Apple’s iOS 12.1.4 security change log had been exploited in the wild as “zero day.”
A zero-day vulnerability refers to a security hole in software that is unknown to the software developer and the public, although it may already be known by attackers who are quietly exploiting it.
At the moment, it’s unclear under what circumstances the vulnerabilities were used, but one exploit involved the iOS Foundation component and a memory corruption issue that could allow an app to gain “elevated privileges” on an iPhone 5s and later, iPad Air and later, or an iPod Touch 6th generation. The second vulnerability potentially allowed for kernel privileges and affected the same devices.
Apple credited “an anonymous researcher, Clement Lecigne of Google Threat Analysis Group, Ian Beer of Google Project Zero, and Samuel Groß of Google Project Zero” for discovering both vulnerabilities.