Apple on Thursday released multiple security updates to patch three zero-day vulnerabilities that were revealed as being actively exploited in the wild.
The list of impacted devices includes iPhone 5s and later, iPod touch 6th and 7th generation, iPad Air, iPad mini 2 and later, and Apple Watch Series 1 and later.
CVE-2020-27930: A memory corruption issue in the FontParser library that allows for remote code execution when processing a maliciously crafted font.
CVE-2020-27932: A memory initialization issue that allows a malicious application to execute arbitrary code with kernel privileges.
CVE-2020-27950: A type-confusion issue that makes it possible for a malicious application to disclose kernel memory.”Targeted exploitation in the wild similar to the other recently reported 0days,” said Shane Huntley, Director of Google’s Threat Analysis Group. “Not related to any election targeting.”
Director of Google’s Threat Analysis Group. “Not related to any election targeting.”
The disclosure is the latest in the string of zero-days Project Zero has reported since October 20. First came the Chrome zero-day in Freetype font rendering library (CVE-2020-15999), then a Windows zero-day (CVE-2020-17087), followed by two more in Chrome and its Android variant (CVE-2020-16009 and CVE-2020-16010).