On Thursday apple issued a few security updates for 3 iOS vulnerabilities that were vigorously assaulted.
These vulnerabilities were found in the FontParser and Kernel of iOS. Allowing the attacker to remotely execute the arbitrary code with kernel-level benefits.
These Zero-Days were found by Google’s Project Zero. According to the director of the Google Threat Analysis Team, the ios zero-days are closely connected with the other zero-days found in google chrome and windows this month. But is not targeting the elections.
Any other information about the attacker or target was not shared.
The list of devices that are affected is as follows:
- iPhone 5s and Next
- iPod 6th and 7th Generation
- iPad Air
- iPad Mini 2 and Next
- Apple watches series 1 and Next
Security patches are available for iOS 12.4.9 and 14.2, iPad OS 14.2, watch OS 5.3.9, 6.2.9 and 7.1, and for mac OS Catalina 10.15.7.
According to Google Project Zero team leader Ben Hawkes, Three iOS vulnerabilities are as follows:
RISK: CRITICAL
CVE-2020-27930: This vulnerability was found in the FontParser, Allowing the attacker to ploy against the target tricking the user to click on the maliciously crafted document. Triggering the memory corruption & executing the arbitrary code on the system.
This vulnerability allows the attacker to remotely attack the machine.
RISK: MEDIUM
CVE-2020-27932: This vulnerability is exploited locally, the attacker needs to have credentials for authentication.
This is a classic privilege escalation exploit. A specifically crafted program can help the attacker to execute the arbitrary code with escalated privileges.
RISK: LOW
CVE-2020-27950: This vulnerability is exploited locally, It is used to obtain potentially sensitive information.
This exploit occurs due to the “type confusion” in the mac OS. Allowing the attacker to gain kernel-level sensitive information.
It’s unclear whether these vulnerabilities were used to target a single or in-mass. Apple users are recommended to update their devices to be safe.