Apple released multiple security updates

Last Thursday, Apple released a number of updates related to the security of their devices in an attempt to patch three actively exploited zero-day vulnerabilities. The patches for the zero-days were included in the updates for iOS, iPadOS, macOS, and watchOS.

Apple Security Updates

Google’s Project Zero security team has identified and disclosed the zero-days to Apple. According to the information that is available, the flaws that have been reported were linked to the FontParser component and the kernel, and were able to allow advertisers to execute arbitrary code remotely, as well as launch potentially malicious applicatios with kernel-level privileges.

Apple commented that it is aware of reports warning about the exploits of these flaws in the wild. However, the company hasn’t given any additional information on the zero-days exploits in order to allow more users to firstly install the released updates.

The devices affected include:

  • iPhone 5s and later versions
  • iPod touch 6th and 7th generation
  • iPad Air
  • iPad mini 2 and later
  • Apple Watch Series 1 and later

The patches are published as extra update for Catalina 10.15.7, as well as in iOS 12.4.9 and 14.2, iPadOS 14.2 and watchOS 5.3.9, 6.2.9 and 7.1.

More details about the flaws can be found in Apple’s security page where they are listed as follows:

  • CVE-2020-27930: a FontParser library memory corruption problem that enables remote code execution while a malicious font is processed.
  • CVE-2020-27932: a memory initialization bug that enables a malicious program to run arbitrary code with kernel rights.
  • CVE-2020-27950: Type-confusion problem which lets a malicious application to reveal kernel memory.

Since October 20th, Project Zero has disclosed a number of zero-days, this one being the latest. More information on the misuse of the disclosed zero-days by the same malicious actor is expected to be dislcosed. In the meantime, it is highly recomended that users upgrade their devices with the released patches to limit the possibility of exploits linked to the reported flaws. Those who don’t have automatic updates enabled are advised to manually do so from Settings>>>General>>>Software Update section.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment