Apple Fixes Two Zero-Day iOS Vulnerabilities Exploited in the Wild

Apple’s newly released iOS 12.1.4 includes fixes for two serious vulnerabilities that are already used by hackers. The update also fixes the FaceTime bug that allowed users to remote enable other peoples’ microphones.

The two vulnerabilities, tracked as CVE-2019-7286 and CVE-2019-7287, from the iOS advisory were exploited in the wild as 0day, Ben Hawkes, the lead of Google’s Project Zero team said on Twitter.

One flaw, CVE-2019-7286, is a memory corruption issue in the Foundation component that can allow an application to gain elevated privileges. The other, CVE-2019-7287, allows an application to execute arbitrary code with kernel privileges.

It’s not clear in what type of attacks these vulnerabilities have been exploited before Apple patched them, but zero-day iOS exploit chains that can lead to a full device compromise are worth $2 million on the exploit acquisition market.

The iPhone is seen as the most secure smartphone and the people who use it are typically high-value targets. Law enforcement, intelligence agencies, cyberespionage groups and cybercriminal gangs are always interested in acquiring such exploits.

The new iOS update also patches a bug in the FaceTime video calling app that was recently publicly disclosed and which can be used to remotely turn on the microphone on the recipients’ devices. The bug is related to the FaceTime group chat feature, so Apple disabled that functionality on its servers after the issue became public to prevent abuse. Now, the client-side issue has also been fixed, so the group chat feature can be safely used again.

“A logic issue existed in the handling of Group FaceTime calls,” Apple said in its advisory. “The issue was addressed with improved state management.”

A second vulnerability located in the Live Photos feature of FaceTime has also been patched with this update. That flaw was discovered internally after Apple performed a thorough security audit of the FaceTime service, probably in response to the group chat issue.

The two FaceTime bugs and the Foundation vulnerability, CVE-2019-7286, have also been fixed through a supplemental update to macOS Mojave 10.14.3 that was also released this week.

Low-end Android Devices Get Full-Disk Encryption

Google has developed a new encryption mode that makes it possible to enable full-disk encryption on low-end Android devices that don’t have CPUs with hardware-based cryptographic acceleration.

Called Adiantum, the new mode allows using the fast ChaCha20 stream cipher for full-disk encryption, something that wasn’t possible until now because of limitations in the way this cipher operates.

Android’s current full-disk encryption functionality relies on the AES cipher, which has very good performance on processors that have hardware support for it, such as those based on the ARMv8 architecture.

However, many low-end Android devices, including phones, tablets, smartwatches and TVs, have older CPUs such as ARM Cortex-A7 that do not have AES hardware instructions. Until now, using Android’s full-disk encryption on such devices would have required performing AES operations in software, which would have severely impacted their performance.

Meanwhile, the ChaCha20 cipher, which is used to encrypt data streams—for example, in HTTPS—is very fast on all CPUs because it only relies on operations like additions, rotations and XORs that all CPUs support natively. The problem was that it couldn’t be used to encrypt blocks of data like those that storage devices operate with.

“Adiantum allows us to use the ChaCha stream cipher in a length-preserving mode, by adapting ideas from AES-based proposals for length-preserving encryption such as HCTR and HCH,” Paul Crowley and Eric Biggers from the Android Security and Privacy Team said in a blog post. “On ARM Cortex-A7, Adiantum encryption and decryption on 4096-byte sectors is about 10.6 cycles per byte, around 5x faster than AES-256-XTS.”

The new encryption mode has been integrated into Android Pie so low-end devices that get updated to this Android version will be able to use full-disk encryption. In addition, Adiantum has been integrated into the upcoming Linux 5 kernel, so any embedded Linux device that will use this kernel version will also be able to use it for encrypting storage.

Featured eBook
Automating Open Source Security: A SANS Product Review of WhiteSource

Automating Open Source Security: A SANS Product Review of WhiteSource

Many sources indicate that 60–80 percent of code in applications today is based on open source components. This open source code often includes vulnerabilities that, if not managed properly, can expose organizations to potential breaches. This paper takes a close look at how WhiteSource can automate the process of open source component vulnerability detection, remediation, ... Read More
WhiteSource

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin