Apple has patched three separate vulnerabilities in iOS and macOS that attackers have been exploiting in the wild. The patches are included in iOS 14.2 and macOS Catalina 10.15.7, which the company released Thursday.
All three of the vulnerabilities were discovered and reported to Apple by researchers with Google Project Zero, which specializes in identifying zero days being used by attackers. Two of the flaws are in the iOS kernel, while the third is in the font parser component of the operating system. Neither Apple nor Project Zero released any details on the attacks or the exploits for these vulnerabilities.
The FontParser vulnerability (CVE-2020-27930) is the most serious of the three bugs, as it can lead to remote code execution.
Those three vulnerabilities are among 24 issues that Apple fixed in iOS 14.2.
“Processing a maliciously crafted font may lead to arbitrary code execution. Apple is aware of reports that an exploit for this issue exists in the wild. A memory corruption issue was addressed with improved input validation,” the Apple advisory says.
The two kernel vulnerabilities are slightly less serious, but dangerous nonetheless. The first flaw is a memory initialization issue (CVE-2020-27950) in the kernel that can lead to a memory leak. The second is a type confusion vulnerability (CVE-2020-27932) that can allow a malicious app to run arbitrary code.
Those three vulnerabilities are among 24 issues that Apple fixed in iOS 14.2, a rather large number for a point release, but are the only three patched in the new release of macOS. Several of the other vulnerabilities patched in iOS 14.2 can lead to arbitrary code execution, too. Enterprises with managed iPhone and Mac deployments should install the updates as soon as practical, given the existence of exploits in the wild.