Home > Cyber News > Beware: 3 Serious Flaws in iOS, iPadOS, watchOS, and macOS (CVE-2020-27930)
CYBER NEWS

Beware: 3 Serious Flaws in iOS, iPadOS, watchOS, and macOS (CVE-2020-27930)

Apple recently released security fixes for iOS, iPadOS, watchOS, and macOS, addressing vulnerabilities reported by Google’s Project Zero. According to the company’s security advisories, three of the flaws were reported by Project Zero and are being exploited in the wild.

These flaws are a remote code execution bug (CVE-2020-27930), a kernel memory leak (CVE-2020-27950), and a kernel privilege escalation (CVE-2020-27932). Owners of Apple devices should update their software as soon as possible. It is also noteworthy that “Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are generally available.”

CVE-2020-27930

This critical vulnerability is present in macOS up to version 10.15.7. The flaw affects an unknown processing of the FontParser component. According to Vulnerability Database, its manipulation can lead to memory corruption. Furthermore, the flaw is trivial to exploit and can be exploited remotely.




CVE-2020-27950

This is a problematic kernel vulnerability in Apple iOS and iPadOS up to 14.1, which can lead to information disclosure. What is known so far is that the exploitation of the flaw seems to be easy, and it should happen locally. Single authentication is required for the attack. The vulnerability can also help a malicious app to run arbitrary code with kernel rights.

CVE-2020-27932

This kernel vulnerability seems to affect Apple iOS and iPadOS up to 14.1, as well as Apple watchOS up to 5.3.8/6.2.8/7.0.3. Little is known about the flaw, and its impact is still unknown.
However, security researchers warn that these flaws can be chained together to hijack users’ devices. Users can be tricked to perform a specific action, such as open a document, message, or webpage that loads a malicious font. This could then lead to code execution with kernel privileges.

Corresponding updates have been released in iOS 14.2 and iPadOS 14.2, watchOS 7.1, macOS 10.15.7, and tvOS 14.2. The company also issued iOS 12.4.9 for outdated iPhone models which are no longer supported, going back to iPhone 5. For more information, you can read Apple’s official bulletins.


In April this year, security researcher Bhavuk Jain reported a zero-day vulnerability in the Sign in with Apple feature that affected third-party applications, using it without implementing their own security measures.

According to Jain, the Apple zero-day “could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.”

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...