Security News > 2020 > November > Apple emits iOS, iPadOS, watchOS, macOS patches to fix three hijack-my-device flaws exploited in the wild
Apple on Thursday issued security updates for iOS, iPadOS, watchOS, and macOS that address three holes reported by Google's Project Zero bug hunters among exploitable flaws found by others.
The iPhone giant's security bulletins note that the three flaws discovered and reported by Project Zero - CVE-2020-27930, CVE-2020-27950, and CVE-2020-27932 - are being actively exploited in the wild.
The updates have been designated iOS 14.2 and iPadOS 14.2, watchOS 7.1, macOS 10.15.7, and tvOS 14.2.
Apple also issued iOS 12.4.9 for outdated iPhone models that it no longer supports in current iOS releases, going back to iPhone 5s. Older watchOS releases also saw updates in the form of watchOS 6.2.9 and 5.3.9.
Which is just as well because CVE-2020-27902, discovered by developer Connor Ford, can be exploited by a "Person with physical access to an iOS device ... to access stored passwords without authentication." This is present in the iOS Keyboard software component, and was fixed by improving the code's state machine.
News URL
https://go.theregister.com/feed/www.theregister.com/2020/11/05/apple_drops_patches_to_fix/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-12-08 | CVE-2020-27902 | Missing Authentication for Critical Function vulnerability in Apple Iphone OS An authentication issue was addressed with improved state management. | 4.6 |
| 2020-12-08 | CVE-2020-27930 | Out-of-bounds Write vulnerability in Apple products A memory corruption issue was addressed with improved input validation. | 7.8 |
| 2020-12-08 | CVE-2020-27932 | Type Confusion vulnerability in Apple products A type confusion issue was addressed with improved state handling. | 7.8 |
| 2020-12-08 | CVE-2020-27950 | Improper Initialization vulnerability in Apple products A memory initialization issue was addressed. | 5.5 |