Apple patches exploited zero-days in iOS and iPadOS

Users are advised to apply Apple's recent iOS and iPadOS 14.2 security update as soon as possible, as it fixes three chained vulnerabilties that the company said are being exploited in the wild.

The three vulnerabilities were discovered by Google's Project Zero researchers who reported them to Apple and are also handled in Apple's iOS 12.4.9 update.

One memory corruption bug allows attackers to use a maliciously crafted font to cause run arbitrary code on users' devices.

An exploited memory initialisation issue that allows malicious applications to read operating system kernel memory was also found by Project Zero.

The security researchers also found a type confusion problem in iOS and iPadOS that allows malicious applications to run arbitrary code with kernel privileges.

Google's Threat Analysis Group director Shane Huntley said the zero-day vulnerabilities were deployed against specific targets.

Targeted exploitation in the wild similar to the other recently reported 0days. Not related to any election targeting.

— Shane Huntley (@ShaneHuntley) November 5, 2020

A Google bug hunting tool, the Open Source Software Fuzz (OSS-Fuzz) found remote code execution vulnerabilities in the libxml2 library, which are patched in iOS and iPadOS 14.2.

In total, the 14.2 update handles 24 security issues, and also brings 100 new emojis.