Patches have been released to correct three zero-day vulnerabilities in the iOS operating systems that are currently being exploited in the wild.
The vulnerabilities affect the following Apple devices:
- iPhones – 6s and later
- iPads Air 2 and later
- iPad mini 4 and later
- iPod 7th generation
All three vulnerabilities have been corrected in iOS 14.2, along with several other vulnerabilities
A memory corruption issue exists which can be triggered when the FontParser library processes a maliciously crafted font, which can allow the remote execution of arbitrary code on a vulnerable device. The vulnerability is being tracked under the code CVE-2020-27930
A memory initialization issue can lead to a kernel memory leak which can allow malicious applications to access the kernel memory. The vulnerability is being tracked under the code CVE-2020-27950.
The third vulnerability is a type confusion issue which allows kernel privilege escalation. If triggered, malicious applications could execute arbitrary code with kernel privileges. The vulnerability is being tracked under the code CVE-2020-27932.
The three flaws were discovered by the Google Project Zero team, which reported the flaws to Apple. While there have been cases identified where the vulnerabilities have been targeted, there are no known cases of the flaws being exploited in order to interfere with the U.S. Presidential elections. Users of vulnerable devices have been advised to apply the updates as soon as possible to prevent exploitation.
Google’s Project Zero team has also reported four other zero-day vulnerabilities since October 20, three of which affect Chrome and the other affects the Windows operating system. The vulnerabilities in Chrome have now been corrected in version 86.0.4240.185 of the browser. The Windows zero-day has not yet been patched, although a fix is expected on November Patch Tuesday.