Apple on Thursday delivered different security updates to fix three zero-day weaknesses that were uncovered as being effectively misused in nature.
Turned out as a feature of its iOS, iPadOS, macOS, and watchOS updates, the flaws reside in the FontParser component and the kernel, allowing adversaries to remotely execute arbitrary code and run malicious programs with kernel-level privileges.
The zero-days were discovered and reported to Apple by Google’s Project Zero security team.
“Apple is aware of reports that an exploit for this issue exists in the wild,” the iPhone producer said of the three zero-days without giving any extra subtleties in order to permit a dominant part of clients to introduce the updates.
The rundown of affected gadgets incorporates iPhone 5s and later, iPod contact sixth and seventh era, iPad Air, iPad little 2 and later, and Apple Watch Series 1 and later.
The fixes are accessible in variants iOS 12.4.9 and 14.2, iPadOS 14.2, watchOS 5.3.9, 6.2.9, and 7.1, and as a supplemental update for macOS Catalina 10.15.7.
According to Apple’s security bulletin, the flaws are:
CVE-2020-27930: A memory corruption issue in the FontParser library that allows for remote code execution when processing a maliciously crafted font.
CVE-2020-27932: A memory initialization issue that allows a malicious application to execute arbitrary code with kernel privileges.
CVE-2020-27950: A type-confusion issue that makes it possible for a malicious application to disclose kernel memory.
“Targeted exploitation in the wild similar to the other recently reported 0days,” said Shane Huntley, Director of Google’s Threat Analysis Group. “Not related to any election targeting.”
The disclosure is the latest in the string of zero-days Project Zero has reported since October 20. First came the Chrome zero-day in Freetype font rendering library (CVE-2020-15999), then a Windows zero-day (CVE-2020-17087), followed by two more in Chrome and its Android variant (CVE-2020-16009 and CVE-2020-16010).
A patch for the Windows zero-day is expected to be released on November 10 as part of this month’s Patch Tuesday.
While more details are awaited on whether the zero-days were abused by the same threat actor, it’s recommended that users update their devices to the latest versions to mitigate the risk associated with the flaws.