A Google top security engineer has revealed today that hackers have been launching attacks against iPhone users using two iOS vulnerabilities. The attacks have happened before Apple had a chance to release iOS 12.1.4 today --meaning the two vulnerabilities are what security experts call "zero-days."
The revelation came in a tweet from Ben Hawkes, team leader at Project Zero --Google's elite security team. Hawkes did not reveal under what circumstances the two zero-days have been used.
At the time of writing, it is unclear if the zero-days have been used for mundane cyber-crime operations or in more targeted cyber-espionage campaigns.
The two zero-days have the CVE identifiers of CVE-2019-7286 and CVE-2019-7287.
According to the Apple iOS 12.1.4 security changelog, CVE-2019-7286 impacts the iOS Foundation framework --one of the core components of the iOS operating system.
An attacker can exploit a memory corruption in the iOS Foundation component via a malicious app to gain elevated privileges.
The second zero-day, CVE-2019-72867, impacts I/O Kit, another iOS core framework that handles I/O data streams between the hardware and the software.
An attacker can exploit another memory corruption in this framework via a malicious app to execute arbitrary code with kernel privileges.
Apple credited "an anonymous researcher, Clement Lecigne of Google Threat Analysis Group, Ian Beer of Google Project Zero, and Samuel Groß of Google Project Zero" for discovering both vulnerabilities.
Neither an Apple or Google spokesperson responded to requests for comment from ZDNet before this article's publication. It is highly unlikely that the two companies will comment on the issue at this time, as both would like to keep the zero-day specifics to a minimum and prevent other threat actors from gaining insight into how the zero-days work.
iPhone users are advised to update their devices to iOS 12.1.4 as soon as possible. This release also fixes the infamous FaceTime bug that allowed users to eavesdrop on others using group FaceTime calls.