Three iOS Zero-day Vulnerabilities - ThreatWire

By Shannon Morse 

Apple just released a series of security updates that patch three zero day vulnerabilities found on their devices. These are being actively exploited in the wild, so it’s probably a good idea to run these updates as soon as possible. The affected devices include the iPhone 5s and up, the iPod 6th and 7th gens, iPad Air, iPad mini 2 and newer, and Apple watch series 1 and newer. On Thursday, Apple publicly disclosed the vulnerabilities and released the patches in response to the discovery and disclosure made by Google’s Project Zero team. The issues include CVE-2020-27930, 2020-27932, and 2020-27950.

The first flaw resides within the FontParser on iPhone, iPad, and iPod devices, and is a memory corruption issue. This flaw could allow an attacker to process malicious fonts that could lead to arbitrary code execution. They improved the input validation for this component in the patch. CVE-2020-27932 and 27950 both reside within the kernel, both of which affect iphones, ipads, and ipods. The former could allow a malicious application to execute code with kernel privileges, and it was a type confusion issue addressed with improved state handling. The latter could allow a malicious application to disclose kernel memory, though a memory initialization issue. All of which are now patched.

Multiple other vulnerabilities were included in this newest security update as well, after being disclosed by Trend Micro Zero Day Initiative, researchers at Ant Security Light Year Lab, Cisco Talos and independent security researchers.

The good thing is: all of these zero days are targeted, so an attacker would need to specifically be targeting your device to initiate the process. With that said, though, it’s generally good security hygiene to update with security patches ASAP. To update i devices, go to settings, general, then software update. If a new download is available, choose download and install. You can also turn on automatic updates in these settings. Depending on your device, you’ll need to download version iOS 12.4.9 and 14.2, iPadOS 14.2, WatchOS 5.3.9, 6.2.9 and 7.1, and for MacOS Catalina 10.15.7.

Links:

Join now for access to extra perks and to support ThreatWire!  https://www.patreon.com/threatwire

iOS Updates:

https://thehackernews.com/2020/11/update-your-ios-devices-now-3-actively.html

https://arstechnica.com/information-technology/2020/11/apple-patches-ios-against-3-actively-exploited-0days-found-by-google/

https://threatpost.com/apple-patches-bugs-zero-days/161010/

https://www.zdnet.com/article/apple-fixes-three-ios-zero-days-exploited-in-the-wild/

https://www.cyberscoop.com/apple-ios-update-vulnerabilities-exploited-google/