BerandaComputers and TechnologyAbout the security content of iOS 14.2 and iPadOS 14.2

About the security content of iOS 14.2 and iPadOS 14.2

Released November 5, 2020

Audio

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later

Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-27910: JunDong Xie and XingWei Lin of Ant Security Light-Year Lab

Audio

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later

Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution

Description: An out-of-bounds write was addressed with improved input validation.

CVE-2020-27916: JunDong Xie of Ant Security Light-Year Lab

CallKit

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later

Impact: A user may answer two calls simultaneously without indication they have answered a second call

Description: An issue existed in the handling of incoming calls. The issue was addressed with additional state checks.

CVE-2020-27925: Nick Tangri

CoreAudio

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later

Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution

Description: An out-of-bounds write was addressed with improved input validation.

CVE-2020-10017: Francis working with Trend Micro Zero Day Initiative, JunDong Xie of Ant Security Light-Year Lab

CoreAudio

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later

Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-27909: Anonymous working with Trend Micro Zero Day Initiative, JunDong Xie and XingWei Lin of Ant Security Light-Year Lab

Crash Reporter

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later

Impact: A local attacker may be able to elevate  their privileges

Description: An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization.

CVE-2020-10003: Tim Michaud (@TimGMichaud) of Leviathan

FontParser

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later

Impact: Processing a maliciously crafted font may lead to arbitrary code execution. Apple is aware of reports that an exploit for this issue exists in the wild.

Description: A memory corruption issue was addressed with improved input validation.

CVE-2020-27930: Google Project Zero

FontParser

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later

Impact: Processing a maliciously crafted font file may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2020-27927: Xingwei Lin of Ant Security Light-Year Lab

Foundation

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later

Impact: A local user may be able to read arbitrary files

Description: A logic issue was addressed with improved state management.

CVE-2020-10002: James Hutchins

ImageIO

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: An out-of-bounds write was addressed with improved input validation.

CVE-2020-27912: Xingwei Lin of Ant Security Light-Year Lab

IOAcceleratorFamily

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2020-27905: Mohamed Ghannam (@_simo36)

Kernel

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later

Impact: A malicious application may be able to disclose kernel memory. Apple is aware of reports that an exploit for this issue exists in the wild.

Description: A memory initialization issue was addressed.

CVE-2020-27950: Google Project Zero

Kernel

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later

Impact: A malicious application may be able to determine kernel memory layout

Description: A logic issue was addressed with improved state management.

CVE-2020-9974: Tommy Muir (@Muirey03)

Kernel

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2020-10016: Alex Helie

Kernel

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later

Impact: A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of reports that an exploit for this issue exists in the wild.

Description: A type confusion issue was addressed with improved state handling.

CVE-2020-27932: Google Project Zero

Keyboard

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later

Impact: A person with physical access to an iOS device may be able to access stored passwords without authentication

Description: An authentication issue was addressed with improved state management.

CVE-2020-27902: Connor Ford (@connorford2)

libxml2

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later

Impact: Processing maliciously crafted web content may lead to code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2020-27917: found by OSS-Fuzz

libxml2

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: An integer overflow was addressed through improved input validation.

CVE-2020-27911: found by OSS-Fuzz

libxml2

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2020-27926: found by OSS-Fuzz

Logging

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later

Impact: A local attacker may be able to elevate their privileges

Description: A path handling issue was addressed with improved validation.

CVE-2020-10010: Tommy Muir (@Muirey03)

Model I/O

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later

Impact: Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution

Description: A logic issue was addressed with improved state management.

CVE-2020-10004: Aleksandar Nikolic of Cisco Talos

Model I/O

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later

Impact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-13524: Aleksandar Nikolic of Cisco Talos

Model I/O

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later

Impact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2020-10011: Aleksandar Nikolic of Cisco Talos

WebKit

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2020-27918: an anonymous researcher

Read More

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments