Apple fixes three iOS zero-days exploited in the wild
Apple has released security updates today for iOS to patch three zero-day vulnerabilities that were discovered being abused in attacks against its users.
According to Shane Huntley, Director of Google's Threat Analysis Group, the three iOS zero-days are related to the recent spat of three Chrome zero-days[1, 2, 3] and a Windows zero-day that Google had previously disclosed over the past two weeks.
Just like in the four previous cases, Google has not shared details about the attacker(s) or their target(s).
Targeted exploitation in the wild similar to the other recently reported 0days. Not related to any election targeting.
— Shane Huntley (@ShaneHuntley) November 5, 2020
While it's unknown if the zero-days have been used against selected targets or en-masse, iOS users are advised to update to iOS 14.2, just to be on the safe side.
The same security bugs have also been fixed in iPadOS 14.2 and watchOS 5.3.8, 6.2.9, and 7.1, and have also been backported for older generation iPhones via iOS 12.4.9, also released today.
According to Google Project Zero team lead Ben Hawkes, whose team discovered and reported the attacks to Apple, the three iOS zero-days are:
- CVE-2020-27930 — a remote code execution issue in the iOS FontParser component that lets attackers run code remotely on iOS devices.
- CVE-2020-27932 — a privilege escalation vulnerability in the iOS kernel that lets attackers run malicious code with kernel-level privileges.
- CVE-2020-27950 — a memory leak in the iOS kernel that allows attackers to retrieve content from an iOS device's kernel memory.
All three bugs are believed to have been used together, part of an exploit chain, allowing attackers to compromise iPhone devices remotely.