Apple released security updates for iOS today (iOS 14.2) to fix three vulnerabilities (0day) discovered in attacks against its users.
According to Shane Huntley, Director of Google Threat Analysis Team, the three iOS 0days are related to recent Chrome vulnerabilities and one 0day of Windows which Google had announced in the last two weeks.
Targeted exploitation in the wild similar to the other recently reported 0days. Not related to any election targeting.
- Shane Huntley (@ShaneHuntley) November 5, 2020
Google did not provide details on who the attackers were or what their targets were.
According to Google's team leader Project Zero, Ben Hawkes, whose team discovered and reported the attacks to Apple, the iOS 3 0days are:
- CVE-2020-27930 – one problem remote code execution vulnerability in the iOS FontParser component that allows attackers to remotely execute code on iOS devices.
- CVE-2020-27932 - a privilege scaling vulnerability in the iOS kernel allows attackers to run malicious code with kernel-level privileges.
- CVE-2020-27950 – memory leak in the iOS kernel that allows attackers to recover content from the core memory of an iOS device.
All three of them errorthey are believed to have been used together, allowing attackers to remotely jailbreak iPhones.