Google’s Project Zero team has disclosed the details behind numerous vulnerabilities that they uncovered in Apple’s IoS operating system and Safari browser. These vulnerabilities, when properly chained together allow an attacker to access and download sensitive information from an IoS device when the user simply browses to a website serving up the attack.
The vulnerabilities were disclosed to Apple on February 1, 2019 and were patched by Apple in IoS 12.1.4 on February 7, 2019. The sophistication of the attacks exploiting these vulnerabilities highlights the lengths that threat actors will go to exploit the IoS platform, which is highly regarded for its security and privacy. In this case, those behind these attacks look likely to be nation-state actors who were using these vulnerabilities to spy on citizens, either en masse or targeting certain classes such as journalists.
As always this is a reminder to keep your IoS devices patched at all times. Apple is particularly good in rapidly responding too and fixing reported vulnerabilities, as was demonstrated in this case, and due to Apple’s control of the hardware/software environment, patches are readily available when released. This contrasts with the Android environment where patches, even when they are released by Google, often cannot even be downloaded by users because they have to pass through the device manufacturers or telco carriers first. Analysis confirms that Apple users are much more likely to be running a current operating system version than Android users, with all the implications that that has regarding whether the devices are patched against currently known vulnerabilities