Apple’s 14.2 Update Fixes Bugs Being Exploited by Attackers
Apple’s store in Beijing’s Sanlitun district. (Photo: Apple)
Apple issued an update for iOS and iPadOS on Thursday that fixes three zero-day flaws found by Google’s Project Zero bug-hunting team and a range of other security-related flaws.
All three of the bugs found by Project Zero are being exploited in the wild, Apple says in its advisory. The flaws are in the iPhone 6s and upwards, iPod Touches from the 7th generation, the iPad Air 2 and up and the iPad mini 4 and later, the company says. The updated version of iOS and iPadOS is 14.2.
It’s unclear how common attacks are using the vulnerabilities, but it doesn’t appear to be widespread. Shane Huntley, director of Google’s Threat Analysis Group, tweeted that the attacks were “targeted exploitation” similar to other recent reported zero-day flaws. “Not related to any election targeting,” he writes.
Ben Hawkes, Project Zero’s technical lead, tweeted about Google’s findings in tandem with Apple’s advisory, but did not provide more detail.
Apple have fixed three issues reported by Project Zero that were being actively exploited in the wild. CVE-2020-27930 (RCE), CVE-2020-27950 (memory leak), and CVE-2020-27932 (kernel privilege escalation). The security bulletin is available here: https://t.co/4OIReajIp6
— Ben Hawkes (@benhawkes) November 5, 2020
The U.S. has been on close watch for election-related interference from foreign actors. In the week prior to Tuesday’s presidential election, the U.S. publicly highlighted activity by Iran and Russia. But U.S. officials have said foreign interference hasn’t been a factor (see Post-Election Day: US on Guard for Hacking, Misinformation).
Apple provided brief descriptions of the vulnerabilities.
One of the issues, CVE-2020-27930, is a memory corruption problem that Apple says was fixed with improved input validation. The processing of a maliciously crafted font could lead to arbitrary code execution.
A second issue, CVE-2020-27932, is a type confusion issue that was improved with improved state handling. The result is that a malicious application could execute arbitrary code with kernel privileges, Apple says.
The third Project Zero find is CVE-2020-27950, which is a memory initialization problem. That may allow a malicious application to disclose kernel memory. Apple also fixed 21 other flaws.
iOS Bug Glut
Apple opened up its bug bounty program in August 2019 to a larger pool of researchers. It now gives vetted security researchers access to a platform and a special version of iOS that comes with SSH, root access and advanced debugging capabilities.
It also increased the rewards it would pay for certain types of vulnerabilities. Apple now pays out $1 million for a kernel-level vulnerability that requires no interaction on behalf of the victim and persists. The previous high award was $200,000 for flaws in secure boot firmware components (see Apple Expands Bug Bounty; Raises Max Reward to $1 Million).
The changes mostly drew praise, but also some light criticism. Katie Moussouris, who is the CEO of Luta Security, said the $1 million top reward isn’t necessarily competitive with vulnerability brokers who will simply increase their prices.
She also said high payouts could crimp Apple’s recruitment efforts in that talented researchers might chase the bounty rather than a job with Apple (see Is Apple’s Top $1 Million Bug Bounty Too Much?).
One vulnerability broker, Zerodium, claimed in September that Apple’s iOS versions 14.x have more persistent zero-day vulnerabilities than 12.x.
“Fun fact: Apple iOS 14.x has more persistence 0days than iOS 12.x. As always: more features, more zero-days, more tears,” Zerodium CEO Chaouki Bekrar tweeted on Sept. 23.
Zerodium announced in May that it would no longer pay for certain types of vulnerabilities in iOS, including local privilege escalation, remote code execution in Safari and sandbox escapes for two to three months due to a glut.