Apple patches three zero-day vulnerabilities found by Google’s Project Zero team

Apple yesterday released iOS patches for three zero-day vulnerabilities that were discovered by Google Project Zero safety equipment.

The researchers said that the three vulnerabilities were used as part of a chain of exploits that allows attackers to compromise iOS devices and potentially turn their devices against them, take control of the camera or microphone, share location data, and record keystrokes when users enter personal or work credentials.

Shane Huntley, director of the threat analysis group at Google Security, wrote in a cheep that the target zero days in nature patched by Apple late this week were similar to the other zero days that Google reported on its Chrome platform earlier this week. Huntley also added that the zero days did not appear to be related to any election-related hacking activity.

The three vulnerabilities were as follows:

• CVE-2020-27930 – An iOS FontParser remote code execution flaw that allows attackers to execute the wrong code in iOS products.
• CVE-2020-27932: Flaw in the iOS kernel that allows attackers to execute malicious code with kernel-level privileges.
• CVE-2020-27950: Memory leak in iOS kernel allowing criminals to get content from iOS kernel memory.

Chris Hazelton, Lookout’s director of security solutions, added that Apple has moved quickly to patch these vulnerabilities. Hazelton said that while mobile operating systems were built to be more secure than desktop computers, as smartphones and tablets increase in capabilities, so does their potential for vulnerabilities.

“Vulnerabilities at the mobile operating system level can leave the door open for cybercriminals and national state actors to steal personal and organizational data,” Hazelton said.

Attackers can exploit smartphone vulnerabilities to bypass native protections in mobile operating systems, Hazelton said. For example, in the case of the iOS vulnerability called FontParser (CVE-2020-27930), a malicious font triggers a vulnerability that allows arbitrary code to be executed. Such code execution could include the installation of a malicious application that has privileged access to the device. While neither Apple nor Google disclosed how many targets were hit, as a safety measure, they advised iOS users to run the patch for iOS 14.2. For more information on all updates, go to Apple’s security updates page.