Security News > 2020 > November > Apple emits iOS, iPadOS, watchOS, macOS patches to fix three hijack-my-device flaws exploited in the wild

Apple emits iOS, iPadOS, watchOS, macOS patches to fix three hijack-my-device flaws exploited in the wild
2020-11-05 23:41

Apple on Thursday issued security updates for iOS, iPadOS, watchOS, and macOS that address three holes reported by Google's Project Zero bug hunters among exploitable flaws found by others.

The iPhone giant's security bulletins note that the three flaws discovered and reported by Project Zero - CVE-2020-27930, CVE-2020-27950, and CVE-2020-27932 - are being actively exploited in the wild.

The updates have been designated iOS 14.2 and iPadOS 14.2, watchOS 7.1, macOS 10.15.7, and tvOS 14.2.

Apple also issued iOS 12.4.9 for outdated iPhone models that it no longer supports in current iOS releases, going back to iPhone 5s. Older watchOS releases also saw updates in the form of watchOS 6.2.9 and 5.3.9.

Which is just as well because CVE-2020-27902, discovered by developer Connor Ford, can be exploited by a "Person with physical access to an iOS device ... to access stored passwords without authentication." This is present in the iOS Keyboard software component, and was fixed by improving the code's state machine.


News URL

https://go.theregister.com/feed/www.theregister.com/2020/11/05/apple_drops_patches_to_fix/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-12-08 CVE-2020-27902 Missing Authentication for Critical Function vulnerability in Apple Iphone OS
An authentication issue was addressed with improved state management.
low complexity
apple CWE-306
4.6
2020-12-08 CVE-2020-27930 Out-of-bounds Write vulnerability in Apple products
A memory corruption issue was addressed with improved input validation.
local
low complexity
apple CWE-787
7.8
2020-12-08 CVE-2020-27932 Type Confusion vulnerability in Apple products
A type confusion issue was addressed with improved state handling.
local
low complexity
apple CWE-843
7.8
2020-12-08 CVE-2020-27950 Improper Initialization vulnerability in Apple products
A memory initialization issue was addressed.
local
low complexity
apple CWE-665
5.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Apple 72 238 1567 2279 265 4349