Apple has patched three vulnerabilities in iOS (and iPadOS) that were actively being exploited in targeted attacks. Vulnerabilities that are being exploited in the wild without a patch being available are referred to as zero-days. The vulnerabilities were found and disclosed by Google’s Project Zero team, and patches were issued yesterday.
What has Apple patched in the update?
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) list. CVE is a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities and exposures. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).
The zero-days are listed under the ID numbers:
CVE-2020-27930: Affected by this issue is some unknown processing of the component FontParser. Manipulation with an unknown input could lead to a memory corruption vulnerability. This means a font could be created which leads to memory corruption, allowing for a remote code execution (RCE) attack .
CVE-2020-27932: A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of reports that an exploit for this issue exists in the wild. Using such a vulnerability could allow malware to bypass security restrictions on an affected system.
CVE-2020-27950: A malicious application may be able to disclose kernel memory. Apple is aware of reports that an exploit for this issue exists in the wild. Disclosed kernel memory may contain sensitive data like encryption keys and memory addresses used to defeat the address space layout randomization.
What is Project Zero?
Formed in 2014, Project Zero is a team of security researchers at Google who find and study zero-day vulnerabilities in hardware and software systems. Their mission is to make the discovery and exploitation of security vulnerabilities more difficult, and to significantly improve the safety and security of the Internet for everyone.
Update your iOS now
Since Apple has flagged that at least two of these vulnerabilities are being exploited in the wild and told us of the possible consequences, users should install the update as soon as possible.
Owners of an iPhone or iPad are advised to update to iOS 14.2 and iPadOS 14.2 or iOS 12.4.9. Apple patched the same vulnerabilities in the Supplementary Update for macOS Catalina 10.15.7. You can always find the latest Apple security updates at its security updates site.
Stay safe, everyone!