According to Ben Hawkes, team leader at Project Zero, the vulnerability has been exploited in the wild as 0day.
Vulnerable component: Apple iOS
CVSSv3 score: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C
CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
The vulnerability allows a local attacker to gain elevated privileges.
The weakness exists due to a boundary error in the IOKit component when handling malicious input. A local attacker can run a specially crafted application, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Note: according to Ben Hawkes, team leader at Project Zero, the vulnerability has been exploited in the wild as 0day.
Latest references in media:
- Apple Released Security Update & Fixes for iOS FaceTime Zero-day Flaw [2019-02-09 07:21:07]
- Apple Patched Two Actively Exploited Zero-Days in iOS 12.1.4 [2019-02-08 15:20:36]
- Apple patches FaceTime flaw, and two exploited zero-days in new security update [2019-02-08 14:21:24]
- Three out of the four flaws fixed with iOS 12.1.4 were exploited in the wild [2019-02-08 12:40:12]
- Apple fixes FaceTime eavesdropping bug, two iOS zero-days [2019-02-08 12:21:24]
- Apple fixes FaceTime eavesdropping bug, two iOS zero-days [2019-02-08 12:10:16]
- Google Spots Attacks Exploiting iOS Zero-Day Flaws [2019-02-08 11:10:13]
- Apple finally fixes FaceTime privacy bug and credits teen who found it | TheINQUIRER [2019-02-08 10:20:11]
- Google warns about two iOS zero-days 'exploited in the wild' | ZDNet [2019-02-08 03:20:11]
- Out Now тАУ AppleтАЩs iOS 12.1.4 Update тАУ Fix For FaceTime Bug [2019-02-07 23:12:26]
- Apple Fixes Pesky FaceTime Bug in iOS 12.1.4 Update [2019-02-07 21:50:13]
Vulnerability scanning SaaS service is online 3-rd generation vulnerability scanner with scheduled assessments and vulnerability subscription. You can use service to check security of your network perimeter.