Children of the Digital Age

Ireland's Cyber Safety Professionals

Blog Internet Safety Advice for Parents

Urgent IOS Apple Update Warning

User Avatar

ByChildren of the Digital Age

Nov 7, 2020

Apple on Thursday released multiple security updates to patch three zero-day vulnerabilities that were revealed as being actively exploited in the wild.

Rolled out as part of its iOS, iPadOS, macOS, and watchOS updates, the flaws reside in the FontParser component and the kernel, allowing adversaries to remotely execute arbitrary code and run malicious programs with kernel-level privileges.

The zero-days were discovered and reported to Apple by Google's Project Zero security team.

“Apple is aware of reports that an exploit for this issue exists in the wild,” the iPhone maker said of the three zero-days without giving any additional details so as to allow a vast majority of users to install the updates.

The list of impacted devices includes iPhone 5s and later, iPod touch 6th and 7th generation, iPad Air, iPad mini 2 and later, and Apple Watch Series 1 and later.

The fixes are available in versions iOS 12.4.9 and 14.2, iPadOS 14.2, watchOS 5.3.9, 6.2.9, and 7.1, and as a supplemental update for macOS Catalina 10.15.7.

According to Apple's security bulletin, the flaws are:

CVE-2020-27930: A memory corruption issue in the FontParser library that allows for remote code execution when processing a maliciously crafted font.

CVE-2020-27932: A memory initialization issue that allows a malicious application to execute arbitrary code with kernel privileges.

CVE-2020-27950: A type-confusion issue that makes it possible for a malicious application to disclose kernel memory.”Targeted exploitation in the wild similar to the other recently reported 0days,” said Shane Huntley, Director of Google's Threat Analysis Group. “Not related to any election targeting.”

Director of Google's Threat Analysis Group. “Not related to any election targeting.”

The disclosure is the latest in the string of zero-days Project Zero has reported since October 20. First came the Chrome zero-day in Freetype font rendering library (CVE-2020-15999), then a Windows zero-day (CVE-2020-17087), followed by two more in Chrome and its Android variant (CVE-2020-16009 and CVE-2020-16010).

A patch for the Windows zero-day is expected to be released on November 10 as part of this month's Patch Tuesday.

While more details are awaited on whether the zero-days were abused by the same threat actor, it's recommended that users update their devices to the latest versions to mitigate the risk associated with the flaws.

Source THN.

Children of the Digital Age
User Avatar

By Children of the Digital Age

We offer Workshops and Courses both Nationally and Internationally for Parents, Children and Workplace Staff and Conferences, on Cyber Safety, Parental Controls, Online Addiction, Online Privacy, also Consultancy on Social Engineering and Data Protection, Ransome Ware and much more. For further information Please Contact Us codainfo@protonmail.com

Related Post

Blog DeepFake Intimate Image Abuse Pornography Revenge Porn

Time to address Deepfake Porn

Oct 28, 2022 Children of the Digital Age
Blog Image Based Abuse Internet Safety Advice for Parents Intimate Image Abuse Live stream sexual abuse and exploitation Online Sexual Exploitation Revenge Porn Scam Sexting Social Media

More Male than Female Sextortion victims being reported.

Oct 28, 2022 Children of the Digital Age
Blog Education Internet Safety for Teens Intimate Image Abuse Online Privacy Scam Social Media

Kids take note, your over confidance in protecting yourself online makes you vulnerable

Oct 28, 2022 Children of the Digital Age
© 2021 Children of the Digital Age All Rights Reserved. Children of the Digital Age is a Registered Company No. 582337