The vulnerabilities, which are all being abused for targeted attacks, affect a long list of devices
Just days after Google disclosed an actively-exploited bug in Windows and discovered and squashed two zero-day bugs in its Chrome web browser, Apple has released patches of its own to fix three zero-day vulnerabilities under active attacks. The trio of flaws, affecting a broad range of Apple’s products, also happened to be unearthed by the bug-hunting crew of the Alphabet-owned company.
“Apple is aware of reports that an exploit for this issue exists in the wild,” reads the company’s security bulletin describing each of the three flaws. They’re being patched along with a number of other security bugs as part of the release of iOS and iPadOS 14.2.
The list of devices impacted by the zero days includes iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later.
The Cupertino tech giant also issued security updates for the vulnerabilities across a range of its other products, including the Apple Watch with watchOS 5.3.9, 6.2.9, and 7.1, a supplemental update for its Mac products with macOS Catalina 10.15.7, as well as a fix for older devices running iOS 12.4.9.
Ben Hawkes, the technical lead of Google’s Project Zero, had this to say on Twitter:
Apple have fixed three issues reported by Project Zero that were being actively exploited in the wild. CVE-2020-27930 (RCE), CVE-2020-27950 (memory leak), and CVE-2020-27932 (kernel privilege escalation). The security bulletin is available here: https://t.co/4OIReajIp6
— Ben Hawkes (@benhawkes) November 5, 2020
Meanwhile, Shane Huntley of Google’s Threat Analysis Group tweeted that the exploitation of the vulnerabilities is targeted and seems to be related to the zero-days that have been uncovered over the past month.
The first vulnerability, located in the FontParser and tracked as CVE-2020-27930, is a Remote Code Execution (RCE) flaw that could be triggered by the processing of a maliciously crafted font potentially allowing an attacker to launch an attack remotely.
Meanwhile the second flaw, indexed as CVE-2020-27950, resides in the kernel and is described as a kernel memory leak flaw. An attacker could exploit it by creating a malicious application to disclose kernel memory; according to VULDB, exploitation needs to happen locally and requires a single authentication.
The third zero-day bug, tracked as CVE-2020-27932, is a kernel privilege escalation vulnerability. “A malicious application may be able to execute arbitrary code with kernel privileges,” Apple warned.
Computer Emergency Response Teams (CERT) from Hong Kong and Singapore issued alerts urging users of the affected Apple devices to apply the updates immediately. If you don’t have automatic updates enabled, you can update your iPhone and iPad manually by going to the Settings menu, then tapping General and going to the Software Update section.