In an update for iOS, Apple fixes three zero-day vulnerabilities that were being actively exploited. The leaks were found by Google’s Project Zero research group.
In addition to iOS, the vulnerabilities were also present in iPadOS, which is largely the same operating system. The new update fixes a large number of possible security leaks, but according to ArsTechnica three of these leaks had been found by Project Zero and were already being exploited.
- CVE-2020-27930 allowed attackers to execute their own code on the device using a combination of characters and fonts;
- CVE-2020-27950 allowed malicious apps to disclose parts of the kernel memory;
- CVE-2020-27932 made it possible to run code with additional permissions.
These vulnerabilities, along with some others, have been patched in iOS 14.2 and iPadOS 14.2. The update is available for the iPhone 6s and newer, iPod Touch 7th generation, iPad Air 2 and newer, and iPad Mini 4 and newer.
In addition to fixing security issues, Apple has also added a couple of new features to iOS 14.2. These include a feature to use the lidar sensor in the iPhone 12 to receive a warning when you come near another person. Blind people can use this to keep their distance during the corona pandemic. Furthermore, the update adds a few new emoji and wallpapers, in addition to a warning for a high headphone volume.
Since October 20th, Project Zero has found four other vulnerabilities in addition to these three. Three of them were in Chrome browsers for computers or Android phones, and one was found in Windows 7 and Windows 10. More about the latter vulnerability can be read in the Techzine news report about it.