As expected, Apple yesterday launched the iOS 12.1.4 to correct a crash involving Group FaceTime. What no one expected, however, that the update would also fix two other major vulnerabilities. zero day Apple's mobile system discovered by Google's Project Zero researchers.
CVE-2019-7286 and CVE-2019-7287 in the iOS advisory today (https://t.co/ZsIy8nxLvU) were exploited in the wild as 0day.
– Ben Hawkes (@benhawkes) February 7, 2019
CVE-2019-7286 and CVE-2019-7287 in the iOS document released today (https://t.co/ZsIy8nxLvU) were exploited by a as 0day.
According to the security notes for the iOS 12.1.4 update, CVE-2019-7286 and CVE-2019-7287 flaws relate, respectively, to frameworks Foundation and IOKit could both grant hackers "special privileges" from a "memory corruption" problem.
Hawkes did not disclose under which circumstances the two found vulnerabilities were used; therefore, it is not clear whether they served as weapons for cybercrime or espionage, as the ZDNet.
In a statement, Apple credited the findings to an anonymous researcher, Clement Lecigne (from Google's threat analysis group), Ian Beer and Samuel Gro (both from Project Zero). So if only the FaceTime bug fix was not enough to convince you to upgrade your iOS device, you may now want to reconsider this decision.
Last week we warned of the dangers of downloading new shortcuts without knowing the developer or the information used by the service to complete certain action. In many cases, such shortcuts could view (and steal) personal contacts, addresses, browsing history, app usage, and other data.
Version 2.2.2 (142.8 MB) Requires the iOS 12.0 or superior
To address this issue, Apple also launched yesterday afternoon (along with the FaceTime bug fix and MacOS Mojave 10.14.3 supplemental update) version 2.1.3 of the Shortcuts app, which simply stated that it was “ bug fixes and improvements. ” The fact that a support document gives us more details of this update.
As with iOS, two vulnerabilities surrounded the Shortcuts app: CVE-2019-7289 and CVE-2019-7290. The first allowed a local user to view another person's confidential information due to an application directory parsing problem (which could be a shortcut code itself), while the second bypassed the restrictions of sandbox Apple to access personal information.
Apple also thanked the researchers who discovered the aforementioned flaws. To update the Shortcuts app, simply access the App Store “Updates” tab like any other app.
via 9to5Mac, iDownloadBlog