However, by revealing the technical details to the general public and sharing the information prior with Zimperium's Handset Alliance (ZHA) -- of which Samsung, Telstra, and BlackBerry are members, among others -- this will hopefully prompt handset vendors to ensure patches released by Apple and Google are rolled out quickly, if they have not already been made available.
The first flaw, which at the time of writing has not been issued a CVE number, is an information disclosure issue which impacts Apple's iCloud storage service. Affecting iOS version 10.3 and below, the vulnerability occurs due to a lack of sandbox checks.
The XPC service com.apple.coreservices.appleid.authentication could be accessed by any application on iOS and attackers could exploit the issue by sending a message containing a "command" key to the service. If the value was set to 0x130, 0x500, or 0x510, information about the user's iCloud was exposed, such as phone numbers, names, and the device serial number, as well as all emails associated with the iCloud account.
The security flaw, which impacts Android 6.0.1 on Nexus 9 devices, allows attackers to use a crafted application connected to the NVIDIA nvhost-vic driver to escalate their privileges and write arbitrary code in the kernel.
The third and final security flaw, CVE-2016-3857, is another privilege escalation issue on the Android platform. Affecting Huawei MT7-UL00 and Nexus 7 devices running Android 6.0 and below, the bug occurs in the Android function 'sys_oabi_epoll_wait.'
If are events are set to a kernel address, due to a lack of validation, this can lead to arbitrary kernel write.
In April, Zimperium released the technical details of bugs affecting the Nvidia Video driver and MSM Thermal driver on the Android mobile platform.