Apple on Thursday released multiple security updates to patch three zero-day vulnerabilities that were revealed to be actively exploited in the wild.
Rolled out as part of its iOS, iPadOS, macOS, and watchOS updates, the bugs reside in the FontParser component and the kernel, allowing adversaries to remotely execute arbitrary code and run malicious programs with privileges kernel level.
The zero days were discovered and reported to Apple by Google’s Project Zero security team.
“Apple is aware of reports that exploitation of this issue exists in the wild,” the iPhone maker said of the three zero days without providing any additional details to allow the vast majority of users to install the updates.
The list of affected devices includes iPhone 5s and later, 6th and 7th generation iPod touch, iPad Air, iPad mini 2 and later, and Apple Watch Series 1 and later.
The solutions are available in iOS versions 12.4.9 and 14.2, iPadOS 14.2, watchOS 5.3.9, 6.2.9, and 7.1, and as a supplemental update for macOS Catalina 10.15.7.
According to Apple’s security bulletin, the flaws are:
- CVE-2020-27930: Memory corruption issue in the FontParser library that allows remote code execution when maliciously crafted font processing.
- CVE-2020-27950: Memory boot issue that allows a malicious application to execute arbitrary code with kernel privileges.
- CVE-2020-27932: A type confusion issue that makes it possible for a malicious application to uncover kernel memory.
“Targeted exploitation in the wild similar to recently reported 0days,” He said Shane Huntley, Director of Google’s Threat Analysis Group. “Not involved in any election targeting.”
The disclosure is the latest in the string of zero days that Project Zero has reported since October 20. First came Chrome’s zero day at Freetype’s font rendering library (CVE-2020-15999), then Windows zero day (CVE- 2020 -17087), followed by two others in Chrome and its Android variant (CVE-2020-16009 and CVE-2020-16010).
A patch for Windows zero day is expected to be released on November 10 as part of this month’s Patch Tuesday.
While more details are expected on whether the same days were abused by the same threat actor, it is recommended that users update their devices to the latest versions to mitigate the risk associated with the defects.