Update Your iOS Devices Now — 3 Actively Exploited 0-Days Discovered
Apple on Thursday released multiple security updates to patch three zero-day vulnerabilities that were revealed as being actively exploited in the wild.
Rolled out as part of its iOS, iPadOS, macOS, and watchOS updates, the flaws reside in the FontParser component and the kernel, allowing adversaries to remotely execute arbitrary code and run malicious programs with kernel-level privileges.
The zero-days were discovered and reported to Apple by Google’s Project Zero security team.
“Apple is aware of reports that an exploit for this issue exists in the wild,” the iPhone maker said of the three zero-days without giving any additional details so as to allow a vast majority of users to install the updates.
The list of impacted devices includes iPhone 5s and later, iPod touch 6th and 7th generation, iPad Air, iPad mini 2 and later, and Apple Watch Series 1 and later.
The fixes are available in versions iOS 12.4.9 and 14.2, iPadOS 14.2, watchOS 5.3.9, 6.2.9, and 7.1, and as a supplemental update for macOS Catalina 10.15.7.
According to Apple’s security bulletin, the flaws are:
- CVE-2020-27930: A memory corruption issue in the FontParser library that allows for remote code execution when processing a maliciously crafted font.
- CVE-2020-27932: A memory initialization issue that allows a malicious application to execute arbitrary code with kernel privileges.
- CVE-2020-27950: A type-confusion issue that makes it possible for a malicious application to disclose kernel memory.
“Targeted exploitation in the wild similar to the other recently reported 0days,” said Shane Huntley, Director of Google’s Threat Analysis Group. “Not related to any election targeting.”