Apple patches iOS in opposition to three actively used zero days that have been discovered by Google
Apple has patched iOS against three zero-day vulnerabilities that attackers actively exploited in the wild. The attacks were discovered by Google's Project Zero research group, which discovered four more zero-day exploits in the past few weeks – three against Chrome and a third against Windows.
The vulnerabilities affect the iPhone 6s and higher, the seventh generation iPod touch, the iPad Air 2s and higher, and the iPad mini 4s and higher. The shortcomings are:
- CVE-2020-27930, a code execution vulnerability that an attacker could use by using maliciously crafted fonts
- CVE-2020-27950, which allows a malicious app to get the locations in kernel memory, and
- CVE-2020-27932, a bug that allows code to run with highly privileged system rights.
Apple fixed zero-days and other security vulnerabilities earlier with the release of iOS 14.2. Apple has fixed the same vulnerabilities in the Supplementary Update for macOS Catalina 10.15.7. Project Leader Zero, Ben Hawkes, posted his own disclosure here.
The disclosure marks the fifth, sixth, and seventh zero days that Project Zero has reported since October 20. CVE-2020-15999, CVE-2020-16009, and CVE-2020-16010 affected Chrome Desktop or Chrome for Android. Meanwhile, Project Zero also discovered CVE-2020-117087, a Windows 10 and Windows 7 bug that allows attackers to escalate system permissions. Hackers had combined CVE-2020-15999 with CVE-2020-117087. The first got restricted code execution and the second ran it with elevated system privileges. advertising
Google has not given details of the attacks that are not targeting them (that is, they are tracking certain people of interest), and they are unrelated to the November election. Patches are available for all vulnerabilities except Windows, which are expected to be fixed on Tuesday. While likely few readers have been targeted with the iOS exploits, users should install Thursday's version 14.2 as soon as possible.