Yesterday (November 5, 2020) Apple released multiple security patches to prevent three (3) zero-day vulnerabilities that are already known to be actively exploited in the wild.
This impacts iOS, IPadOS, MacOS , and WatchOS. The flaws affect the front component parser and the kernel, allowing bad actors to execute arbitrary code and run malicious programs with kernel-level privileges.
The Zero-Days were discovered and reported to Apple by Google’s Project Zero security team.
The list of impacted devices can be found here and includes iPhone 5s and later, iPod Touch 6th and 7th generation, iPad Air, iPad mini 2 and later, and Apple Watch Series 1 and later.
The fixes are available in versions iOS 12.4.9 and 14.2, iPadOS 14.2, watchOS 5.3.9, 6.2.9, and 7.1, and as a supplemental update for macOS Catalina 10.15.7.
The full security bulletin can be found here.
- CVE-2020-27930: A memory corruption issue in the FontParser library that allows for remote code execution when processing a maliciously crafted font.
- CVE-2020-27932: A memory initialization issue that allows a malicious application to execute arbitrary code with kernel privileges.
- CVE-2020-27950: A type-confusion issue that makes it possible for a malicious application to disclose kernel memory.
A patch for the Windows zero-day is expected to be released on November 10 as part of this month’s Patch Tuesday.
While more details are awaited on whether the zero-days were abused by the same threat actor, it’s recommended that users update their devices to the latest versions to mitigate the risk associated with the flaws.