iOS update fixes three major security flaws that have already been exploited

(Image credit: StockSnap/Pixabay)
Audio player loading…

Apple has released a new security update for iOS to address three zero-day vulnerabilities that are actively being exploited by cybercriminals in the wild.

According to the director of Google's Threat Analysis Group, Shane Huntley the three iOS zero-days are related to another trio of zero-days in its Chrome browser (opens in new tab) as well as to a Windows zero-day (opens in new tab) which was recently disclosed by the company's Project Zero security team.

In a tweet (opens in new tab), Huntely confirmed that three iOS zero days were being used for targeted exploitation in the wild though they are not being used to target the 2020 election in the US. While the zero-days are currently being used in attacks, Google did not share any details regarding who is responsible or who was targeted.

iOS zero-days

iOS users should update their devices to iOS 14.2 (opens in new tab) to prevent falling victim to any potential attacks exploiting the three zero-days. The vulnerabilities have also been fixed in iPadOS 14.2 and watchOS 5.38, 6.2.9, and 7.1, though the fixes have also been backported to older iPhones via iOS 12.4.9.

The attacks leveraging the zero-days in iOS were discovered by Google's Project Zero (opens in new tab) security team which reported its findings to Apple.

According to Project Zero team lead Ben Hawkes the first zero day is a remote code execution flaw, tracked as CVE-2020-27930 (opens in new tab), in the iOS FontParser component that allows an attacker to run code remotely on iOS devices. The second zero-day is a privilege escalation vulnerability, tracked as CVE-2020-27932 (opens in new tab), in the iOS kernel that allows an attacker to run malicious code with kernel-level privileges. Finally the third zero-day is a memory leak in the iOS kernel, tracked as CVE-2020-27950 (opens in new tab), that allows an attacker to retrieve content from an iOS device's kernel memory.

The reason why iOS users are being urged to update their devices as soon as possible is because all three zero-days are used together as part of an exploit chain that allows an attacker to compromise iPhones remotely.

Via ZDNet (opens in new tab)

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.