By 
Today, Apple released security updates for iOS to patch three zero-day vulnerabilities found to be exploited in attacks on its users.
The three iOS zero-days are linked to the latest spat of three Chrome zero-days and a Windows zero-day that Google had previously announced during the past two weeks, according to Shane Huntley, Director of Google’s Threat Analysis Group.
The three iOS zero-days are linked to the latest spat of three Chrome zero-days and a Windows zero-day that Google had previously announced during the past two weeks, according to Shane Huntley, Director of Google’s Threat Analysis Group.
“Apple is aware of reports that an exploit for this issue exists in the wild,” the company said in a security advisory issued today when describing the three flaws.
iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later are included in the list of affected devices.
The zero-days were addressed by Apple earlier today, with the release of the latest stable update of iOS 14.2, the mobile OS.
Although it is unclear if the zero-days have been used against selected targets or en-masse, it is recommended that iOS users upgrade to iOS 14.2, just to be on the safe side.
The same security vulnerabilities were also patched in iPadOS 14.2 and watchOS 5.3.8, 6.2.9, and 7.1, and were also backported for older generation iPhones via iOS 12.4.9, also released today.
As per Google Project Zero team lead Ben Hawkes, whose team exposed and reported the attacks to Apple, the three iOS zero-days are:
- CVE-2020-27930— a remote code execution issue in the iOS FontParser component that lets attackers run code remotely on iOS devices.
- CVE-2020-27932— a privilege escalation vulnerability in the iOS kernel that lets attackers run malicious code with kernel-level privileges.
- CVE-2020-27950— a memory leak in the iOS kernel that allows attackers to retrieve content from an iOS device’s kernel memory.
All three vulnerabilities, part of an exploit chain, are claimed to have been used together, allowing attackers to remotely compromise iPhone smartphones.
Google has not released technical details about the threat actors that exploited the above issues in their attacks and their targets.
