Three zero-day vulnerabilities can be used in iOS 14.2 and earlier versions to spy on your iPhone. Update now

Apple’s security teams announced the fix for three zero-day vulnerabilities in the iOS system, which have been actively exploited and affect iPhone, iPad, and iPod devices: “We are aware of reports about an exploit for this issue in real-world scenarios,” the company’s security alert mentions.

On vulnerable devices, the flaws affect all versions of iPhone after 6S, seventh generation iPod touch, iPad Air 2 and later, in addition to iPad mini 4 and later. The flaws were fixed by Apple with the release of iOS 14.2, the latest stable version of the mobile operating system.

Apple have fixed three issues reported by Project Zero that were being actively exploited in the wild. CVE-2020–27930 (RCE), CVE-2020–27950 (memory leak), and CVE-2020–27932 (kernel privilege escalation). The security bulletin is available here: https://t.co/4OIReajIp6

- Ben Hawkes (@benhawkes) November 5, 2020

The first flaw, tracked as CVE-2020–27930, is a remote code execution (RCE) error triggered by a memory corruption issue when processing a source created for malicious purposes using the FontParser library. The second zero-day flaw is a kernel memory leak tracked as CVE-2020–27950 and caused by a memory initialization issue that allows malicious applications to access kernel memory.

Finally, the third is a kernel privilege escalation flaw (CVE-2020–27932) caused by a type confusion issue that makes it possible for malicious applications to execute arbitrary code with kernel privileges. Project Zero, Google’s vulnerability search team was in charge of these reports, notifying Apple in a timely way.

In addition to these critical flaws, Project Zero reported four other vulnerabilities that were fixed over the past two weeks. Google fixed two actively exploited Chrome zero-day flaws, including a stack buffer overflow flaw in the Android user interface.

Originally published at https://www.securitynewspaper.com on November 6, 2020.

Knowledge belongs to the world