Apple has pushed out an emergency update to iOS, patching three “zero-day” security flaws that are already being used by hackers to attack iPhone, iPads and iPods. Your iDevices need to be updated to iOS 14.2 and iPadOS 14.2.
“Apple is aware of reports that an exploit for this issue exists in the wild,” the company says next to the description of each flaw in an Apple security advisory released today (Nov. 5).
Apple didn’t call these “zero-day” flaws, but that’s what they are — vulnerabilities that are attacked by hackers before the defenders have a chance to fix them.
The flaws affect the iOS/iPadOS font parser and the iOS/iPadOS kernel. The font-parser flaw “may lead to arbitrary code execution” — i.e., a hack — when “processing a maliciously crafted font,” says Apple’s advisory.
In the case of the second flaw, “a malicious application may be able to disclose kernel memory,” which would expose passwords, keychains and other sensitive data.
The third flaw would let “a malicious application … execute arbitrary code with kernel privileges,” which is pretty much full system takeover.
The updates to iOS and iPadOS 14.2 fix 21 other security flaws, none of which are under active attack.
Apple also upgraded iOS 12 to version 12.4.9 to fix the three zero-day flaws plus one older FaceTime flaw on devices that can’t run iOS 14, including the iPhone 5s, 6 and 6 Plus, plus the iPad Air, iPad mini 2, iPad mini 3 and 6th-generation iPod touch.
Who’s attacking what?
Reading between the lines, we get the fuzzy outlines of a multi-stage attack chaining together these three actively exploited flaws.
First, use the font-parser flaw to remotely install a malicious app via a webpage; then use the malicious app and one kernel flaw to steal passwords; third, use the malicious app and the other kernel flaw to install even more malware.
And that sounds like a state-sponsored attack against specifically selected targets. China, for example, has used similar attacks on both iOS and Android devices to spy on ethnic Tibetan and Uyghur dissidents.
Criminal groups just out for money could also pull this sort of thing off, but they usually find it more profitable to stick to phishing attacks, adware and other low-hanging fruit.
These three flaws were discovered by the very busy researchers at Google Project Zero, whose technical lead Ben Hawkes disclosed them on Twitter.
Apple have fixed three issues reported by Project Zero that were being actively exploited in the wild. CVE-2020-27930 (RCE), CVE-2020-27950 (memory leak), and CVE-2020-27932 (kernel privilege escalation). The security bulletin is available here: https://t.co/4OIReajIp6November 5, 2020
Project Zero researchers in the past couple of weeks have also uncovered two zero-day flaws in Chrome and Chromium-based browsers and one zero-day flaw in Windows.
All these flaws are also being actively exploited. The Windows one hasn’t been patched yet, but it won’t work without one of the Chrome flaws, both of which have been fixed with browser updates.