Apple patches three actively exploited zero‑day flaws in iOS

Long list of vulnerable actively exploited devices

Apple has released patches of its own to fix three zero-day vulnerabilities under active attacks.

The trio of flaws, affecting a broad range of Apple’s products, also happened to be unearthed by the bug-hunting crew.

“Apple is aware of reports that an exploit for this issue exists in the wild,” reads the company’s security bulletin describing each of the three flaws.

Impacted Devices

• iPhone 6s and later

• iPod touch 7th generation

• iPad Air 2 and later,

• iPad mini 4 and later.

The Cupertino tech giant also issued security updates for the vulnerabilities across a range of its other products, including the Apple Watch with watchOS 5.3.9, 6.2.9, and 7.1, a supplemental update for its Mac products with macOS Catalina 10.15.7, as well as a fix for older devices running iOS 12.4.9.

Ben Hawkes, the technical lead of Google’s Project Zero, had this to say on Twitter:

Meanwhile, Shane Huntley of Google’s Threat Analysis Group tweeted that the exploitation of the vulnerabilities is targeted and seems to be related to the zero-days that have been uncovered over the past month.

An attacker could exploit it by creating a malicious application to disclose kernel memory; according to VULDB, exploitation needs to happen locally and requires a single authentication.

The third zero-day bug, tracked as CVE-2020-27932, is a kernel privilege escalation vulnerability. “A malicious application may be able to execute arbitrary code with kernel privileges,” Apple warned.

Computer Emergency Response Teams (CERT) from Hong Kong and Singapore issued alerts urging users of the affected Apple devices to apply the updates immediately. If you don’t have automatic updates enabled, you can update your iPhone and iPad manually by going to the Settings menu, then tapping General and going to the Software Update section.