
Google warns about two iOS zero-days 'exploited in the wild' - LinuxBender
https://www.zdnet.com/article/google-warns-about-two-ios-zero-days-exploited-in-the-wild/
======
MattSteelblade
So far the two parent comments are quite negative, which surprises me. I
understand the anti-Google sentiment, but Project Zero has been a much needed
booster to the security of the public and it has born fruit. The fact that an
iOS vulnerability is actively being exploited is notable. I think their method
of responsible disclosure is reasonable.

~~~
jsgo
There are cases that I'm all for bashing Google when they don't give the
company they're targeting enough time to patch something (recently, seems
mostly directed at Microsoft). This isn't one of those cases.

They seem to have waited until Apple had a patch ready, they disclosed it to
Apple and gave them an adequate amount of time to patch the vulnerability, and
users are better for it.

So in this case and others similar to it, kudos to Google.

~~~
PurpleBoxDragon
>There are cases that I'm all for bashing Google when they don't give the
company they're targeting enough time to patch something

While I understand the common ethos of our current culture supports this, has
there been analysis if giving what could constitute a second chance to fix
security issues leads to less prioritization of security initially? I could
definitely see a business deciding to lower their security expenditure since
if an issue is found, they will be given a grace window to fix it before the
world hears about it. It would still be damaging, but it would be far less
since the PR machine could spit out that it was patched before it was
announced to the world.

There has to have been some agreement to limit the grace period since people
will go live once a reasonable time frame to fix it has passed and they won't
be judged negatively if others agree reasonable time was given. So if we won't
judge someone for giving only 6 months instead of 3 years, what about the one
who gives only 2 weeks instead of 6 months? How do we calculate which of two
time frames is better?

~~~
kerng
If only Google would hold themselves accountable to the same standard. Android
is a gigantic security mess, all caused and enabled by Google.

~~~
kllrnohj
No it isn't? Android has a bug bounty program:
[https://www.google.com/about/appsecurity/android-
rewards/](https://www.google.com/about/appsecurity/android-rewards/)

and regularly has strong showings at pwn2own. Android's security for the past
couple of years has been superb.

~~~
justapassenger
Android as an abstract project, yes. Android, as what's actually used by
users, it's not that superb.

Google is slowly trying to fix it, but average Android device is way behind
average iOS device in the wild, and that will be the case for many years to
come.

~~~
kllrnohj
> Android, as what's actually used by users, it's not that superb.

It is, though. The Android that's most commonly used by users is the one from
Samsung, who also issues monthly security patches for a large range of
devices:
[https://security.samsungmobile.com/workScope.smsb](https://security.samsungmobile.com/workScope.smsb)

LG (
[https://lgsecurity.lge.com/security_updates.html](https://lgsecurity.lge.com/security_updates.html)
) does as well, and so do at least Motorola & Nokia.

> average Android device is way behind average iOS device in the wild, and
> that will be the case for many years to come.

[citation needed]

Average iOS device just got hit by 2 zero-days in the wild. And jailbreaking
is a long and well established practice on iOS, which is literally privilege
escalation exploits. There's a constant, continuous stream of those on iOS.
There doesn't seem to be many (any?) on Android for a while now.

~~~
joshuamorton
>There doesn't seem to be many (any?) on Android for a while now.

To be fair, there are a variety of reasons why this isn't the case that have
nothing to do with security. An Android jailbreak is less valuable for a few
reasons, among them that you can often purchase android devices with root
privs, the same isn't possible for iphone.

------
xd1936
I wonder if one of these was used by the FBI's unlocking tool from the San
Bernardino shooter case. That sort of just... fizzled out, with the FBI saying
they could unlock iPhones themselves. Everybody kind of just said "yikes" to
that statement and moved on...

[https://en.wikipedia.org/wiki/FBI%E2%80%93Apple_encryption_d...](https://en.wikipedia.org/wiki/FBI%E2%80%93Apple_encryption_dispute)

~~~
Derek_MK
I mean, the whole point of that issue was that the FBI wanted Apple to develop
tools that would make it a lot easier for the FBI to do it later if they
wanted to. It probably cost them a lot of money/time to do it the way they
did. Plus, wasn't that the suspect's work phone anyway? So there really
couldn't even be much that would have incriminated him on that phone. The
point was setting a technological precedent.

~~~
earenndil
> the FBI wanted Apple to develop tools that would make it a lot easier for
> the FBI to do it later if they wanted to. It probably cost them a lot of
> money/time to do it the way they did

No, they wanted to set a legal precedent.

~~~
lern_too_spel
Precedent was already on the FBI's side, just as in the Lavabit case.

------
crazygringo
Side question: whatever happened to Chrome blocking autoplay videos like this
horrible and incredibly loud one?

It's supposed to have been in place for a year or so... but it's clearly not
working. If this particular one isn't blocked, then what ones _are_?

I'm on up-to-date Chrome 72...

[1]
[https://developers.google.com/web/updates/2017/09/autoplay-p...](https://developers.google.com/web/updates/2017/09/autoplay-
policy-changes)

~~~
etaioinshrdlu
The autoplay blocking involves a complicated set of heuristics involving the
domain name and your past behavior with that domain...

~~~
crazygringo
So I just checked my heuristics at chrome://media-engagement/ and zdnet.com
has a personal MEI of 0.0 with 7 visits (for comparison, YouTube is 0.76), and
the stated threshold at the top of that page for allowing video with sound is
min 0.2 max 0.3.

So just ugh. Disappointed in Chrome that zdnet.com is somehow considered high
enough quality to play videos with audio automatically. :(

~~~
tnorthcutt
zdnet.com has a score of 0 for me, and it still autoplayed.

------
sounds
To avoid the auto-playing video with loud volume, here's the entire content of
the article:

[https://twitter.com/benhawkes/status/1093581737924259840](https://twitter.com/benhawkes/status/1093581737924259840)

"CVE-2019-7286 and CVE-2019-7287 in the iOS advisory today
([https://support.apple.com/en-us/HT209520](https://support.apple.com/en-
us/HT209520) ) were exploited in the wild as 0day."

\--

A Google top security engineer has revealed today that hackers have been
launching attacks against iPhone users using two iOS vulnerabilities. The
attacks have happened before Apple had a chance to release iOS 12.1.4 today
--meaning the two vulnerabilities are what security experts call "zero-days."

The revelation came in a tweet from Ben Hawkes, team leader at Project Zero
--Google's elite security team. Hawkes did not reveal under what circumstances
the two zero-days have been used.

At the time of writing, it is unclear if the zero-days have been used for
mundane cyber-crime operations or in more targeted cyber-espionage campaigns.

The two zero-days have the CVE identifiers of CVE-2019-7286 and CVE-2019-7287.

According to the Apple iOS 12.1.4 security changelog, CVE-2019-7286 impacts
the iOS Foundation framework --one of the core components of the iOS operating
system.

An attacker can exploit a memory corruption in the iOS Foundation component
via a malicious app to gain elevated privileges.

The second zero-day, CVE-2019-72867, impacts I/O Kit, another iOS core
framework that handles I/O data streams between the hardware and the software.

An attacker can exploit another memory corruption in this framework via a
malicious app to execute arbitrary code with kernel privileges.

Apple credited "an anonymous researcher, Clement Lecigne of Google Threat
Analysis Group, Ian Beer of Google Project Zero, and Samuel Groß of Google
Project Zero" for discovering both vulnerabilities.

Neither an Apple or Google spokesperson responded to requests for comment from
ZDNet before this article's publication. It is highly unlikely that the two
companies will comment on the issue at this time, as both would like to keep
the zero-day specifics to a minimum and prevent other threat actors from
gaining insight into how the zero-days work.

iPhone users are advised to update their devices to iOS 12.1.4 as soon as
possible. This release also fixes the infamous FaceTime bug that allowed users
to eavesdrop on others using group FaceTime calls.

------
dwighttk
Any word on what apps included these exploits? I'm guessing there was at least
one since they say "in the wild"

------
zelon88
I hold the unpopular opinion that Google Project Zero is pretentious and
unprofessional.

I mean here we have the most valuable company on Earth, specifically scoping
out competing software and hardware constantly looking for zero day
vulnerabilities. They don't submit to the bug bounty, so if they have a
disclosure that you disagree with you better agree quick because they'll just
go public.

How fast do you think I would get sued if I found a zero day in a Google
product, told Google to fix it, shove the bounty, and then went public 30 days
later?

~~~
jasonvorhe
They're using iPhones themselves inside of the company, trusting the devices
as part of their Beyond Corp security mechanism, so they have an interest in
the software trusted to their company network being as secure as possible.

~~~
6d6b73
And we don't?

I want my phone to be as secure as possible because I use it for work, but of
course, since it's not brand new I can't get updates.

~~~
ribosometronome
This update is available to iPhones from the 5S and newer. The 5S was released
in 2013. If your phone is older than that, it's a bit older than "not brand
new".

~~~
jtbayly
I think the point is that he has an Android, but _he_ can't update, while
Apple users can.

