Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Network Security, Security Strategy, Plan, Budget, Vulnerability Management, Patch/Configuration Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Apple patches two flaws reportedly exploited in zero-day attacks; also nixes FaceTime eavesdropping bug

Apple yesterday released security updates for iOS and macOS Mojave, repairing four vulnerabilities, including two that a Google researcher says were exploited in the wild as zero days.

The two exploited flaws consisted of memory corruption issues caused by insufficient input validation. The first, CVE-2019-7286, is a privilege escalation vulnerability in the Foundation framework that affects both iOS and macOS devices.

The second, CVE-2019-7287, affects only iOS devices. It resides in the open-source I/OKit framework and enables arbitrary code execution with kernel privileges.

The discovery of both bugs were credited to Clement Lecigne of Google Threat Analysis Group, Ian Beer of Google Project Zero, and Samuel Groß of Google Project Zero, and an anonymous researcher.

It was Ben Hawkes, team lead at Project Zero, who reported via Twitter that these vulnerabilities were exploited prior to the security update. "CVE-2019-7286 and CVE-2019-7287 in the iOS advisory today... were exploited in the wild as 0day," the tweet reads.

The release of iOS 12.1.4 and supplemental update of Mojave 10.14.3 fixed not only the zero-day flaws, but also CVE-2019-6223. This is the FaceTime bug that 14-year-old student Grant Thompson and Texas software engineer Daven Morris separately reported last month after discovering the app could be manipulated to force the recipient's phone to secretly answer, allowing the caller to eavesdrop.

"A logic issue existed in the handling of Group FaceTime calls. The issue was addressed with improved state management," Apple states on a product support page.

Apple's iOS update addressed one additional bug found in FaceTime's Live Photos feature. Designated CVE-2019-7288, the bug was fixed with improved validation; however, Apple has not disclosed what the precise issue was.

Also yesterday, Apple issued an update for Shortcuts for iOS, patching an information disclosure bug (CVE-2019-7289) and a sandbox bypass vulnerability (CVE-2019-7290).

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.