Multiple Websites Delivered Exploits to iPhones for Years
Security researchers at Google’s Project Zero discovered several malicious websites that had been hijacked and used to distribute exploits to iPhones users for nearly three years. The targeting was indiscriminate, delivering a monitoring implant to any iPhone visitor without any user interaction. The researchers estimate that the sites received thousands of visitors per week. The five exploit chains targeted 14 iOS vulnerabilities in iOS versions 10.x, 11.x, and 12.x. The implants could allow a threat actor to steal data from iMessages, photos, and GPS location in real-time; however, rebooting the infected device would remove the malware. After receiving a notification from Project Zero, Apple distributed iOS 12.1.4 in an out-of-band update on February 7, 2019. The NJCCIC recommends iOS users keep their devices up-to-date with the latest patches and review the Project Zero post for more information.