Skip to main content

iOS update fixes three major security flaws that have already been exploited

iphone
(Image credit: StockSnap/Pixabay)

Apple has released a new security update for iOS to address three zero-day vulnerabilities that are actively being exploited by cybercriminals in the wild.

According to the director of Google's Threat Analysis Group, Shane Huntley the three iOS zero-days are related to another trio of zero-days in its Chrome browser as well as to a Windows zero-day which was recently disclosed by the company's Project Zero security team.

In a tweet, Huntely confirmed that three iOS zero days were being used for targeted exploitation in the wild though they are not being used to target the 2020 election in the US. While the zero-days are currently being used in attacks, Google did not share any details regarding who is responsible or who was targeted.

iOS zero-days

iOS users should update their devices to iOS 14.2 to prevent falling victim to any potential attacks exploiting the three zero-days. The vulnerabilities have also been fixed in iPadOS 14.2 and watchOS 5.38, 6.2.9, and 7.1, though the fixes have also been backported to older iPhones via iOS 12.4.9.

The attacks leveraging the zero-days in iOS were discovered by Google's Project Zero security team which reported its findings to Apple.

According to Project Zero team lead Ben Hawkes the first zero day is a remote code execution flaw, tracked as CVE-2020-27930, in the iOS FontParser component that allows an attacker to run code remotely on iOS devices. The second zero-day is a privilege escalation vulnerability, tracked as CVE-2020-27932, in the iOS kernel that allows an attacker to run malicious code with kernel-level privileges. Finally the third zero-day is a memory leak in the iOS kernel, tracked as CVE-2020-27950, that allows an attacker to retrieve content from an iOS device's kernel memory.

The reason why iOS users are being urged to update their devices as soon as possible is because all three zero-days are used together as part of an exploit chain that allows an attacker to compromise iPhones remotely.

Via ZDNet