Apple releases a patch for three actively exploited iOS 0-days found by Google
Apple has recently released iOS 14.2 with the patch for three zero day vulnerabilities affecting several IPhone, IPad and iPod devices.
The company said in a security advisory at the time they are describing the three flaws; “Apple is aware of reports that an exploit for this issue exists in the wild”.
Three Zero day vulnerabilities and their cause:
- Remote code execution vulnerability (CVE-2020-27930) – it triggers memory corruption issue, arises when processing a malicious crafted font by the FontParser library.
- Kernel leak (CVE-2020-27950) – it causes memory initiation issue and allows malicious applications to enter kernel memory.
- Kernel privilege escalation flaw (CVE-2020-27932) – it is a type of confusion issue. It makes possible for malware to execute arbitrary code with kernel privileges.
The affected Apple devices include iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later. The list also includes Macs running MacOS Catalina versions prior to 10.15.7, Ipads having iOS version is prior to iOS 14.2, Apples watch prior to watchOS 7.1, watchOS 6.2.9, watchOS 5.3.9, and Apple TV with TVOS versions prior to tvOS 14.2.
Project Zero Google’s oday-hunting team reported Apple about the security issue. There researchers also disclosed or patched four other zero-days during the last two weeks. Two of them include the Chrome zero-days flaws CVE-2020-15999 in the FreeType text-rendering library and CVE-2020-16009 in the WebAssembly and JavaScript engine.
Third one was CVE-2020-16010 caused when heap buffer overflow in the Android UI. It was addressed with the Chrome for Android 86.0.4240.185, released on Monday.
Project zero also disclosed an elevation of privileges (EoP) vulnerability. The patch for this Windows zero day should be provided by Microsoft with this month’s patch.