Apple emits iOS, iPadOS, watchOS, macOS patches to fix three hijack-my-device flaws exploited in the wild

Trio of bugs reported by Google Project Zero, plenty of other flaws addressed


Apple on Thursday issued security updates for iOS, iPadOS, watchOS, and macOS that address three holes reported by Google's Project Zero bug hunters among exploitable flaws found by others. Installing the latest software for your iPhone, iPad and so on will address these programming blunders.

The iPhone giant's security bulletins note that the three flaws discovered and reported by Project Zero – CVE-2020-27930 (remote-code execution), CVE-2020-27950 (kernel memory leak), and CVE-2020-27932 (kernel privilege-escalation) – are being actively exploited in the wild.

CVE-2020-27930 is a bug in Apple's font parser that can be exploited by a specially crafted font to achieve arbitrary code execution. CVE-2020-27950 covers a bug that allows a malicious application to disclose kernel memory. CVE-2020-27950 provides a way for a malicious application to run arbitrary code with kernel privileges.

You can probably imagine how these can be chained together to hijack someone's device: get them to open a document, message, or webpage that loads in a maliciously crafted font, which is parsed and triggers code execution with kernel privileges and silently commandeers the handheld.

Apple also issued a security update for tvOS, though that upgrade doesn't cover these three CVEs.

Apple Safari icon

Here's a neat exploit to trick someone into inadvertently emailing their files to you from their Mac, iPhone via Safari

READ MORE

Via Twitter, Shane Huntley, director of Google's Threat Analysis Group, provided no additional detail beyond stating that the vulnerabilities are being exploited against selected targets though haven't been used for election meddling.

The updates have been designated iOS 14.2 and iPadOS 14.2, watchOS 7.1, macOS 10.15.7, and tvOS 14.2.

Apple also issued iOS 12.4.9 for outdated iPhone models that it no longer supports in current iOS releases, going back to iPhone 5s. Older watchOS releases also saw updates in the form of watchOS 6.2.9 and 5.3.9. This suggests the bugs are serious enough to warrant an exception for unsupported devices.

The iOS 14.2 and iPadOS 14.2 update covers a total of 24 CVEs including the three flagged by Google. Seventeen, including those three, allow arbitrary code execution. But only the Project Zero bugs are said to be under active exploitation.

Which is just as well because CVE-2020-27902, discovered by developer Connor Ford, can be exploited by a "person with physical access to an iOS device ... to access stored passwords without authentication." This is present in the iOS Keyboard software component, and was fixed by improving the code's state machine.

The watchOS 7.1 update cites 18 CVEs.

The macOS 10.15.7 update only includes the three Project Zero bugs.

Next week, Apple is expected to introduce its first Arm-based Apple Silicon notebook, marking a major chip architecture transition for the company. ®


Biting the hand that feeds IT © 1998–2020