Last Thursday, Apple released a number of updates related to the security of their devices in an attempt to patch three actively exploited zero-day vulnerabilities. The patches for the zero-days were included in the updates for iOS, iPadOS, macOS, and watchOS.
Google’s Project Zero security team has identified and disclosed the zero-days to Apple. According to the information that is available, the flaws that have been reported were linked to the FontParser component and the kernel, and were able to allow advertisers to execute arbitrary code remotely, as well as launch potentially malicious applicatios with kernel-level privileges.
Apple commented that it is aware of reports warning about the exploits of these flaws in the wild. However, the company hasn’t given any additional information on the zero-days exploits in order to allow more users to firstly install the released updates.
The devices affected include:
- iPhone 5s and later versions
- iPod touch 6th and 7th generation
- iPad Air
- iPad mini 2 and later
- Apple Watch Series 1 and later
The patches are published as extra update for Catalina 10.15.7, as well as in iOS 12.4.9 and 14.2, iPadOS 14.2 and watchOS 5.3.9, 6.2.9 and 7.1.
More details about the flaws can be found in Apple’s security page where they are listed as follows:
- CVE-2020-27930: a FontParser library memory corruption problem that enables remote code execution while a malicious font is processed.
- CVE-2020-27932: a memory initialization bug that enables a malicious program to run arbitrary code with kernel rights.
- CVE-2020-27950: Type-confusion problem which lets a malicious application to reveal kernel memory.
Since October 20th, Project Zero has disclosed a number of zero-days, this one being the latest. More information on the misuse of the disclosed zero-days by the same malicious actor is expected to be dislcosed. In the meantime, it is highly recomended that users upgrade their devices with the released patches to limit the possibility of exploits linked to the reported flaws. Those who don’t have automatic updates enabled are advised to manually do so from Settings>>>General>>>Software Update section.