Apple patches three zero-day vulnerabilities exploited in the wild

On November 5, Apple released several security updates across their product line, from iPhone, iPad, Apple Watch and Macs. These security updates included fixes for three notable vulnerabilities: CVE-2020-27930, CVE-2020-27932, and CVE-2020-27950. These vulnerabilities were reportedly exploited in the wild as zero-days in targeted attacks.

• CVE-2020-27930 is a memory corruption vulnerability in the FontParser. The issue stems from the way the FontParser processes font files. When the FontParser tries to process a malicious font file, it could result in arbitrary code execution.

• CVE-2020-27932 is a type confusion vulnerability in the Kernel. An attacker could potentially execute arbitrary code on the device with kernel privileges through the use of a malicious application.

• CVE-2020-27950 is a memory initialization vulnerability in the Kernel. According to the release notes, kernel memory may be disclosed through a malicious application.

According to Ben Hawkes, a founding member and technical lead on Google’s Project Zero team, his team reported these three vulnerabilities to Apple. In response to questions about the nature of these vulnerabilities, Shane Huntley, the director of Google’s Threat Analysis Group, tweeted that the exploitation of these vulnerabilities was “targeted” and “similar to the other recently reported 0days.”

Huntley is referring to several vulnerabilities that Google has disclosed over the last few weeks, including a pair of zero-day vulnerabilities in Google Chrome and Microsoft Windows that were exploited in the wild as part of a vulnerability chain. Google also reported additional Chrome zero-day vulnerabilities in Chrome for Desktop and Chrome for Android.

In the case of the pair of zero-day vulnerabilities in Google Chrome and Microsoft Windows, the Chrome zero-day stemmed from a font library called FreeType2. On Apple devices, CVE-2020-27930 is a FontParser related issue. It is unclear whether or not these two separate vulnerabilities are connected to the same campaign or threat actor.

Apple has released the following software updates to address these vulnerabilities:

• iOS
  • iOS 14.2
  • iOS 12.4.9
• iPadOS
  • iPadOS 14.2
• watchOS
  • watchOS 7.1
  • watchOS 6.2.9
  • watchOS 5.3.9
• macOS
  • Catalina 10.15.7 and Catalina10.15.7  Supplemental Update

Tenable product coverage will be available here as soon as it is released. Please note that Tenable customers that integrate with mobile device management solutions can identify mobile devices missing vendor updates.

For any product related questions, please check out our Question and Answers section on the community. If you’d like to open a case, you can create one here.