Apple has fixed three critical zero-day vulnerabilities for iOS and macOS, which have already been actively exploited for attacks, through updates.
The vulnerabilities were discovered by Google’s Project Zero and the company’s Threat Analysis Group (TAG). Ben Hawkes, the head of the Google Project Zero team, says that zero-days are:
- CVE-2020-27930 — Remote code execution in the iOS FontParser component, which allows attackers to remotely run code on iOS devices.
- CVE-2020-27932 — iOS kernel privilege escalation, which allows attackers to run malicious code on a device with kernel-level privileges;
- CVE-2020-27950 — iOS kernel memory leak that allows attackers to gain access to kernel memory.
The issues reportedly posed a threat to iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later. Apple has fixed the iOS vulnerabilities with the update to iOS 14.2. Since iOS and macOS share a lot of code, the vulnerabilities with the same CVE numbers are also found in macOS, for which Apple is providing an unscheduled update for macOS Catalina 10.15.7.
Bugs were also fixed in iPadOS 14.2, watchOS versions 5.3.8, 6.2.9, and 7.1, and patches were ported to older iPhones via iOS 12.4.9.
Recently, Google experts found and eliminated some serious bugs in the Chrome browser and also helped to uncover a zero-day vulnerability in Windows associated with them. All these problems were also under attack, about which nothing is known yet.