Apple Puts Out Regular iOS Security Update Fixing Three Zero-Days

  • iOS 14.2 and iPadOS 14.2 land with 24 fixes, three of which concern zero-day flaws.
  • Two of those flaws are on the kernel, leading to privilege and escalation and remote code execution.
  • These key discoveries come from researchers who may soon stop reporting them to Apple.

iOS 14.2 and iPadOS 14.2 are out, and they are addressing a rich set of flaws on a wide range of components. Among them, there are three actively exploited zero-day flaws, which were discovered and reported to Apple by Google’s ‘Project Zero’ researchers.

Zero-days are vulnerabilities that have been discovered and exploited by hackers but not by anyone in the white-hat research community. Thus, they are like “secret passes” where nasty stuff comes and goes until the vendor figures them out and patches them.

Security updates are always crucial, but applying them immediately should be an absolute priority when they fix zero-days. Thus, you should backup your important files and download iOS 14.2 right away. These are the details of the three zero-days:

CVE-2020-27930: A memory corruption bug based on poor input validation at the FontParser. The exploit happened through the use of malicious fonts that lead to arbitrary code execution on the target system.

CVE-2020-27932: A type confusion on the system kernel, which was addressed with improved state handling. The danger comes from malicious software that could be able to execute arbitrary code with kernel privileges.

CVE-2020-27950: Another kernel-level bug, enabling a malicious application to potentially access kernel memory data.

In total, the iOS 14.2 and iPadOS 14.2 come with 24 fixes, many of which were reported by the Cisco Talos team, Apple’s own researchers, and even anonymous tipsters. This underlines the importance of having an active researcher community around your product and why it’s risky to set restrictive rules that make the lives and work of those researchers harder.

If the Project Zero team never reported these three flaws to Apple, many more iOS users could have fallen victims to attacks, and the prestige of Apple’s system regarding security and privacy would suffer dents from negative publicity and loss of trust.

REVIEW OVERVIEW

Latest

Apple TV+ One-Year Free Trials Extended Until July 2021

Buyers of Apple TV devices have just gotten a second Apple TV+ subscription extension.This adds up to another nine full months of...

The Scottish Environment Protection Agency Was Hit by Ransomware

The Scottish Environment Protection Agency (SEPA) was compromised by the Conti group almost a month ago.The ransomware gang is now leaking part...

Discovery Plus Keeps Crashing: Here’s How to Fix It

Discovery Plus has been out for over a week now and users are reporting various issues they have with the service. One...