Apple has patched three previously identified zero-day vulnerabilities in its iPhone, iPod and iPad devices potentially related to a spate of related flaws recently discovered by the Google Project Zero team that also affect Google Chrome and Windows.
Apple this week released iOS 14.2 and iPadOS 14.2, which patch a total of 24 vulnerabilities—including the three already being exploited in the wild–in various components of the OSes, including audio, crash reporter, kernel and foundation. Release notes are available on the company’s support page.
Ben Hawkes from Google Project Zero identified the zero-days as “CVE-2020-27930 (RCE), CVE-2020-27950 (memory leak), and CVE-2020-27932 (kernel privilege escalation),” he said in a tweet. Apple also gives credit to Project Zero for identifying these specific flaws in its security update and provides a bit more detail on each.
CVE-2020-27930 is a memory corruption flaw in the FontParser on iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later, according to Apple. The vulnerability allows for an attacker to process a “maliciously crafted font” that can lead to arbitrary code execution.
Apple have fixed three issues reported by Project Zero that were being actively exploited in the wild. CVE-2020-27930 (RCE), CVE-2020-27950 (memory leak), and CVE-2020-27932 (kernel privilege escalation). The security bulletin is available here: https://t.co/4OIReajIp6
— Ben Hawkes (@benhawkes) November 5, 2020
Apple described CVE-2020-27950 as a memory initialization issue in the iOS kernel that affects iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later. The flaw would allow a malicious application to disclose kernel memory, the company said.
CVE-2020-27932 also is a kernel flaw described as “a type of confusion issue” that the company “addressed with improved state handling.” Attackers could exploit the flaw–found in iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later—using a malicious app that can execute arbitrary code with kernel privileges.
The Apple update comes on the heels of updates by Google in the last two weeks to patch a number of zero days in Google Chrome for both the desktop and Android versions of the browser.
In fact, Shane Huntley from Google’s Threat Analysis Group claims the recently patched Apple zero-day flaws are related to three Google Chrome zero-days and one Windows zero-day also revealed in the last two weeks, potentially as part of the same exploit chain.
“Targeted exploitation in the wild similar to the other recently reported 0days,” he tweeted, adding that the attacks are “not related to any election targeting.”
Apple and Google have a notorious past when it comes to vulnerability discovery. Google Project Zero researchers especially have been adept at finding flaws in Apple products, research that sometimes is refuted by the company.
The two tech giants famously butted heads last year over two zero-day bugs in the iPhone iOS after Google Project Zero researchers claimed that they had been exploited for years. Apple officials pushed back by insisting there was no evidence to support such activity.
Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.