Time to update your iPhone. Hackers have been spotted exploiting three new vulnerabilities in iOS, which can be used to take over the devices.
Google’s “Project Zero” security team discovered the bugs, and is warning that hackers are actively exploiting them. In response, Apple on Thursday released a patch via the iOS 12.4.9 update, which can be applied to the iPhone 5s and up and earlier iPads.
Neither Google nor Apple have elaborated on how hackers have been exploiting the vulnerabilities. But we suspect the three flaws were chained together to enable the attacks to hijack iPhone devices remotely. Here’s a breakdown of how they generally work:
- CVE-2020-27930: This memory corruption flaw involves a “maliciously crafted font,” which can trigger the iPhone software to execute computer code, like downloading a hacker-controlled app. So it’s possible the vulnerability was used as the first stage in an attack, where the hacker sends a text message or email that contains the malicious font.
- CVE-2020-27932: This vulnerability can enable a hacker-controlled app on an iPhone to execute more computer code, but with privileges to access the kernel, the core of the iOS operating system.
- CVE-2020-27950: By exploiting this vulnerability, a hacker-controlled app on an iPhone can trigger the iOS kernel to leak memory.
Google security researcher Shane Huntley has only said the three vulnerabilities were exploited in a “targeted” fashion—an indicator the hackers were going after select victims. None of the attacks were election-related, he added.
To update your iPhone, go Settings > General > Software Update. The device can also update automatically if you’ve toggled on automatic updates.
