Apple‘s security teams announced the fix for three zero-day vulnerabilities in the iOS system, which have been actively exploited and affect iPhone, iPad, and iPod devices: “We are aware of reports about an exploit for this issue in real-world scenarios,” the company’s security alert mentions.
On vulnerable devices, the flaws affect all versions of iPhone after 6S, seventh generation iPod touch, iPad Air 2 and later, in addition to iPad mini 4 and later. The flaws were fixed by Apple with the release of iOS 14.2, the latest stable version of the mobile operating system.
The first flaw, tracked as CVE-2020-27930, is a remote code execution (RCE) error triggered by a memory corruption issue when processing a source created for malicious purposes using the FontParser library. The second zero-day flaw is a kernel memory leak tracked as CVE-2020-27950 and caused by a memory initialization issue that allows malicious applications to access kernel memory.
Finally, the third is a kernel privilege escalation flaw (CVE-2020-27932) caused by a type confusion issue that makes it possible for malicious applications to execute arbitrary code with kernel privileges. Project Zero, Google’s vulnerability search team was in charge of these reports, notifying Apple in a timely way.
In addition to these critical flaws, Project Zero reported four other vulnerabilities that were fixed over the past two weeks. Google fixed two actively exploited Chrome zero-day flaws, including a stack buffer overflow flaw in the Android user interface.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.