Apple yesterday released iOS patches to three zero-day vulnerabilities that were discovered by Google’s Project Zero security team.
Researchers said all three vulnerabilities were used as part of an exploit chain that lets attackers compromise iOS devices and potentially turn users' devices against them, taking over the camera or microphone, sharing location data and logging keystrokes as users enter personal or work credentials.
Shane Huntley, director of the threat analysis group at Google Security, wrote in a tweet that the targeted zero-days in the wild patched by Apple late this week were similar to the other zero-days Google reported on its Chrome platform earlier this week. Huntley also added that the zero-days did not appear to be related to any election-related hacking activity.
The three vulnerabilities were the following:
- CVE-2020-27930: An iOS FontParser remote code execution flaw that lets attackers run the bad code on iOS products.
- CVE-2020-27932: Flaw in iOS kernel that lets attackers run malicious code with kernel-level privileges.
- CVE-2020-27950: Memory leak in iOS kernel that lets the bad guys obtain content from iOS kernel memory.
Chris Hazelton, director of security solutions at Lookout, added that Apple has moved quickly to patch these vulnerabilities. Hazelton said while mobile operating systems were built to be more secure than those for desktops, as smartphones and tablets expand in capabilities, so does their potential for vulnerabilities.
“Vulnerabilities at the mobile operating system level can leave the door open for cybercriminals and nation-state actors to steal personal and organizational data,” Hazelton said.
Attackers can exploit smartphone vulnerabilities to circumvent native protections in mobile operating systems, said Hazelton. For example, in the case of the iOS vulnerability called FontParser (CVE-2020-27930), a malicious font triggers a vulnerability that enables arbitrary code execution. Such a code execution could include the installation of a malicious app that has privileged access to the device. While neither Apple or Google disclosed how many targets were hit, as a safety precaution, they advised iOS users to run the patch for iOS 14.2. To learn more about all the updates go to the Apple security update page.