Today, Apple has released iOS 14.2, iPadOS 14.2, and a new update for its iPhone, iPad, and iPod. These updates contain patches to three critical zero-day bugs while they are being exploited in the wild already. While one is an RCE bug, the other two are kernel memory leak and privilege escalation bugs. Google’s Project Zero team reported these to Apple.
RCE Bug in iPhones and iPads
While Apple devices are touted to be more secure than anything, they’re infested with similar bugs as others, though found less. Today, the company has released two new updates to its iPhone (as of iOS 14.2), iPadOS (as iPadOS 14.2), and iPod, to patch three zero-day bugs reported by Google’s Project Zero team.
Apple have fixed three issues reported by Project Zero that were being actively exploited in the wild. CVE-2020-27930 (RCE), CVE-2020-27950 (memory leak), and CVE-2020-27932 (kernel privilege escalation). The security bulletin is available here: https://t.co/4OIReajIp6
— Ben Hawkes (@benhawkes) November 5, 2020
These bugs affect Apple devices of iPhone 6 and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touches 7th generation.
Apple said it’s “aware of reports that an exploit for this issue exists in the wild,” thus released these updates to patch them all. Also, Shane Huntley from Google’s Threat Intelligence Group said: “Targeted exploitation in the wild similar to the other recently reported 0days”.
The three zero-day bugs are as follows;
CVE-2020-27930 – A remote code execution (RCE) bug is caused by a memory corruption issue when the device’s FontParser library processes a maliciously crafted font sent by the attacker.
CVE-2020-27950 – relating to a kernel memory leak, this vulnerability results from a memory initialization issue that ultimately lets any malicious apps access the kernel memory of the device.
CVE-2020-27932 – This is more of a confusion issue, where a malicious application can execute an arbitrary code with kernel privileges in the device, letting the attacker has escalated privilege.
The Project Zero team has also discovered few bugs in their Chrome browser and some in Microsoft’s Windows OS, which is reported last week. While the bug in Chrome was fixed with a patch update soon, the bug in Windows affects versions 7 to 10, allowing attackers with escalated privilege and exploiting the kernel.