Apple closes zero-day attack hole on iPhones that was being exploited
The last time Apple updated iOS 12 was mid-July 2020, back then there were no known security holes – the update just sought to fix the worst bugs so that Apple’s developers could stop maintaining the version. However, on 7 November there was a new version of iOS 12 that snuck out alongside updates for macOS Catalina, iOS 14 and tvOS 14.
There are four CVE (common vulnerabilities and exposures) entries in Apple’s safety notes, the first of which is more annoying than dangerous: participants in a FaceTime group calls could involuntarily send videos without realising.
The three other holes concern the kernel and font parser and can also be found in the updates for macOS Catalina, iOS and iPadOS 14, watchOS 7.1, watchOS 5.3.9 and watchOS 6.2.9. tvOS 14.2 wasn’t at risk from these vulnerabilities. Read: Apple updates iPhone, iPad, HomePod, Apple TV and Watch
In the case of the two kernel issues, Apple writes that they know of reports that these holes are already being used in attacks “in the wild”, i.e. on real end users, so these are veritable zero-day holes.
Incidentally, the security team at Google – Google Project Zero – discovered all three bugs and reported them to Apple. The same bugs were found in Chrome and Android as well.
Apple have fixed three issues reported by Project Zero that were being actively exploited in the wild. CVE-2020-27930 (RCE), CVE-2020-27950 (memory leak), and CVE-2020-27932 (kernel privilege escalation). The security bulletin is available here: https://t.co/4OIReajIp6
— Ben Hawkes (@benhawkes) November 5, 2020
At the moment it is not yet clear how many iOS users could be attacked by the security vulnerabilities discovered.
The FontParser bug allows the possibility of executing any code remotely, theoretically it is possible to attack the iPhone with an email, message or chat without the attacked being aware of it.
Security company Zecops has also confirmed that it has registered attacks primarily on Chrome . These have been taking place for at least two weeks. The fact that Apple has updated watchOS 5 and 6 in addition to iOS 12 shows that the zero-day gap was serious.
Targeted exploitation in the wild similar to the other recently reported 0days. Not related to any election targeting.
— Shane Huntley (@ShaneHuntley) November 5, 2020
iOS 13 has not been updated by the way, if you’re still on the old version we recommend switching to iOS 14.2.
We have a separate article that looks at the best iPhone security tips.
This article originally appeared on Macwelt. Translation by Karen Haslam.