Apple recently released security fixes for iOS, iPadOS, watchOS, and macOS, addressing vulnerabilities reported by Google’s Project Zero. According to the company’s security advisories, three of the flaws were reported by Project Zero and are being exploited in the wild.
These flaws are a remote code execution bug (CVE-2020-27930), a kernel memory leak (CVE-2020-27950), and a kernel privilege escalation (CVE-2020-27932). Owners of Apple devices should update their software as soon as possible. It is also noteworthy that “Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are generally available.”
CVE-2020-27930
This critical vulnerability is present in macOS up to version 10.15.7. The flaw affects an unknown processing of the FontParser component. According to Vulnerability Database, its manipulation can lead to memory corruption. Furthermore, the flaw is trivial to exploit and can be exploited remotely.
CVE-2020-27950
This is a problematic kernel vulnerability in Apple iOS and iPadOS up to 14.1, which can lead to information disclosure. What is known so far is that the exploitation of the flaw seems to be easy, and it should happen locally. Single authentication is required for the attack. The vulnerability can also help a malicious app to run arbitrary code with kernel rights.
CVE-2020-27932
This kernel vulnerability seems to affect Apple iOS and iPadOS up to 14.1, as well as Apple watchOS up to 5.3.8/6.2.8/7.0.3. Little is known about the flaw, and its impact is still unknown.
However, security researchers warn that these flaws can be chained together to hijack users’ devices. Users can be tricked to perform a specific action, such as open a document, message, or webpage that loads a malicious font. This could then lead to code execution with kernel privileges.
Corresponding updates have been released in iOS 14.2 and iPadOS 14.2, watchOS 7.1, macOS 10.15.7, and tvOS 14.2. The company also issued iOS 12.4.9 for outdated iPhone models which are no longer supported, going back to iPhone 5. For more information, you can read Apple’s official bulletins.
In April this year, security researcher Bhavuk Jain reported a zero-day vulnerability in the Sign in with Apple feature that affected third-party applications, using it without implementing their own security measures.
According to Jain, the Apple zero-day “could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.”