Apple patched three vulnerabilities in iOS, iPadOS, macOS, and watchOS that were actively exploited and affected the iPhone, iPad, and iPod devices.
The flaws lie in the FontParser component and the kernel, which allows attackers to remotely execute arbitrary code and run malware with kernel-level privileges.
The company said in a security advisory report describing the three flaws: Apple is aware of reports that there is an exploitation of this problem, without giving any additional details to allow the vast majority of users to install updates.
The list of affected devices includes iPhone 5s and later, iPod touch 6th and 7th generation, iPad Air 2 and later, iPad mini 2 and later, and Apple Watch Series 1 and later.
The vulnerabilities affect Apple devices and other systems, including:
– Mac devices running macOS Catalina prior to macOS Catalina 10.15.7.
– IPads running iPadOS versions before iOS 14.2.
– Apple smartwatches with watchOS versions prior to watchOS 7.1, watchOS 6.2.9 and watchOS 5.3.9.
– Apple TVs with tvOS versions earlier than tvOS 14.2.
One of the vulnerabilities is a remote code execution error named CVE-2020-27930, which is triggered by a memory corruption issue when processing a maliciously generated font via the FontParser library.
The second iOS vulnerability relates to a kernel memory leak that was tracked as (CVE-2020-27950) resulting from a memory initialization issue allowing malicious applications to access the kernel memory.
The third vulnerability (CVE-2020-27932) that was actively exploited is a kernel privilege escalation error caused by a type distortion issue that makes it possible for malicious applications to execute arbitrary code using kernel privileges.
The Google Project Zero bug research team had discovered the vulnerabilities and reported them to Apple’s security team.
Shane Huntley, director of the threat analysis group at Google, said: The targeted exploitation of vulnerabilities is similar to what was recently reported, and has nothing to do with any electoral targeting.
Targeted exploitation in the wild similar to the other recently reported 0days. Not related to any election targeting.— Shane Huntley (@ShaneHuntley) November 5, 2020