Apple yesterday released security updates for iOS and macOS Mojave, repairing four vulnerabilities, including two that a Google researcher says were exploited in the wild as zero days.
The two exploited flaws consisted of memory corruption issues caused by insufficient input validation. The first, CVE-2019-7286, is a privilege escalation vulnerability in the Foundation framework that affects both iOS and macOS devices.
The second, CVE-2019-7287, affects only iOS devices. It resides in the open-source I/OKit framework and enables arbitrary code execution with kernel privileges.
The discovery of both bugs were credited to Clement Lecigne of Google Threat Analysis Group, Ian Beer of Google Project Zero, and Samuel Groß of Google Project Zero, and an anonymous researcher.
It was Ben Hawkes, team lead at Project Zero, who reported via Twitter that these vulnerabilities were exploited prior to the security update. “CVE-2019-7286 and CVE-2019-7287 in the iOS advisory today… were exploited in the wild as 0day,” the tweet reads.
The release of iOS 12.1.4 and supplemental update of Mojave 10.14.3 fixed not only the zero-day flaws, but also CVE-2019-6223. This is the FaceTime bug that 14-year-old student Grant Thompson and Texas software engineer Daven Morris separately reported last month after discovering the app could be manipulated to force the recipient’s phone to secretly answer, allowing the caller to eavesdrop.
“A logic issue existed in the handling of Group FaceTime calls. The issue was addressed with improved state management,” Apple states on a product support page.
Apple’s iOS update addressed one additional bug found in FaceTime’s Live Photos feature. Designated CVE-2019-7288, the bug was fixed with improved validation; however, Apple has not disclosed what the precise issue was.
Also yesterday, Apple issued an update for Shortcuts for iOS, patching an information disclosure bug (CVE-2019-7289) and a sandbox bypass vulnerability (CVE-2019-7290).