Apple has patched iOS against three zero-day vulnerabilities that attackers are actively exploiting. The attacks were uncovered by Google’s Project Zero vulnerability research team, which over the past few weeks uncovered four other zero-day exploits – three against Chrome and a third against Windows .
Security flaws affect iPhone 6s or later, iPod touch seventh generation, iPad Air 2 or later, and iPad mini 4 and up. The flaws are:
- CVE-2020-27930, a code execution vulnerability that an attacker could trigger using maliciously generated fonts
- CVE-2020-27950, which allows a malicious application to obtain locations in kernel and memory
- CVE-2020-27932, an error allowing code to run with high privileged system permissions.
Apple fixed zero-days and other vulnerabilities with the previous release of iOS 14.2. Apple has patched similar vulnerabilities in the Additional Update for macOS Catalina 10.15.7. Project Zero Team Leader Ben Hawkes provided personal disclosure here.
Disclosure marks the fifth, sixth, and seventh time Project Zero has reported as of October 20. CVE-2020-15999, CVE-2020-16009, and CVE-2020-16010 are affected by Chrome for desktop computer or Chrome for Android. Meanwhile, Project Zero also discovered CVE-2020-117087, a vulnerability in Windows 10 and Windows 7 that allowed an attacker to elevate system privileges. Hackers have combined CVE-2020-15999 with CVE-2020-117087. The first one executes limited code and the second runs it with elevated system privileges.
Google did not provide details about the attacks beyond their target (meaning they hunt for individuals of particular interest) and they are not relevant to the November election. for all vulnerabilities outside of Windows, expected to be fixed on Tuesday. While very few people read if potentially targeted with an iOS exploit, everyone should install the Thursday 14.2 release as soon as they are realistic.