Recently, Google researchers revealed a zero-day vulnerability affecting Microsoft Windows. It seems they also analyzed other systems as they reported three zero-day vulnerabilities affecting iOS as well. Apple has released fixes for the vulnerabilities.
Three iOS Zero-Day Bugs
Security researchers from Google Project Zero discovered three iOS zero-day bugs that they reported to Apple.
The news surfaced online after Ben Hawkes from Project Zero mentioned the bugs in his tweet.
Apple have fixed three issues reported by Project Zero that were being actively exploited in the wild. CVE-2020-27930 (RCE), CVE-2020-27950 (memory leak), and CVE-2020-27932 (kernel privilege escalation). The security bulletin is available here: https://t.co/4OIReajIp6
— Ben Hawkes (@benhawkes) November 5, 2020
As disclosed, the three under attack bugs affecting iOS devices include CVE-2020-27930: a code execution vulnerability affecting the FontParser due to memory corruption, CVE-2020-27950: a memory initialization issue, and CVE-2020-27932: a type confusion flaw leading to arbitrary code execution. The latter two bugs specifically existed in the Kernel.
Previously, Google also disclosed a yet unpatched zero-day vulnerability affecting the Windows Kernel (CVE-2020-17087). While Microsoft is yet to patch the vulnerability, Google has addressed a Chrome zero-day (CVE-2020-15999) that could trigger a chain reaction with Windows zero-day.
Maintaining their standard policy, Google hasn’t revealed any details about the three iOS bugs to allow most users to patch their devices.
The only thing they confirmed is the targeted exploitation of the flaws.
Targeted exploitation in the wild similar to the other recently reported 0days. Not related to any election targeting.
— Shane Huntley (@ShaneHuntley) November 5, 2020
Apple Fixed The Vulnerabilities
Apple has released fixes for the bugs with the release of iOS 14.2 and iPadOS 14.2. The corresponding devices that can receive this update include iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later. The tech giant has also confirmed in the security bulletin that it is aware of active exploitation of the three flaws.
However, it seems that the bugs not only affect the latest iOS 14, but also the previous versions. Besides iOS 14.2, Apple has also fixed the same bugs with the release of iOS 12.4.9 simultaneously. The latter is available for iPhone 5s, iPhone 6 and 6 Plus, iPad Air, iPad mini 2 and 3, iPod touch (6th generation).