Earlier today, Apple released iOS 12.1.4 which fixed the critical Group FaceTime bug. As it turns out though, Apple has also fixed two critical zero-day vulnerabilities with the update.
As per Google’s Project Zero team member Ben Hawkes, these two zero-day vulnerabilities were being used by hackers in the wild to attack iPhone users. Hawkes did not reveal how hackers used the vulnerabilities or what they could do using them. Nonetheless, he confirmed that Apple has also patched these two vulnerabilities with the iOS 12.1.4 update.
CVE-2019-7286 and CVE-2019-7287 in the iOS advisory today (https://t.co/ZsIy8nxLvU) were exploited in the wild as 0day.
— Ben Hawkes (@benhawkes) February 7, 2019
The two zero-day vulnerabilities carry CVE identifiers of CVE-2019-7286 and CVE-2019-7287. The first one affects the iOS Foundation Framework and allows a hacker to gain elevated privileges, while the latter allows them to run arbitrary code with kernel privileges.
Apple credits Ian Beer and Samuel Groß of Project Zero and Clement Lecigne of Google Threat Analysis Group for discovering the vulnerabilities in its security log.
Given the critical nature of the two bugs, it makes sense that no one from Google’s Project Zero team or from Apple’s side has talked about it much. This does, however, makes the iOS 12.1.4 update even more important in nature. So, if you have not already updated your iPhone or iPad to it, make sure to do so as soon as possible.