Multiple zero-day flaws affect users of iOS, Android and Windows systems

Mobile security specialists warn iOS and Android users about the risks associated with exploiting some zero-day flaws by a group of threat actors. These hackers have been exploiting four flaws using four different types of attack, such as code obfuscation.

This report was prepared by researchers from Project Zero, Google’s main research unit, in conjunction with the Threat Analysis Group security alliance.

Maddie Stone, a member of Project Zero, mentions that this renowned hacking group has been involved in multiple recent malicious campaigns, exploiting critical security flaws on iOS, Android and even Windows systems.

Moreover, security firm Arstechnica mentions that this hacking group has employed watering hole techniques to transfer malicious files to vulnerable devices of affected users: “These attacks usually begin with redirecting to malicious websites where hackers host malware for mobile devices and desktops,” the researchers mention.

On this attack, experts mention that everything was done through a zero-day exploit created by threat actors targeting the Chrome V8 engine.

In an update to the Project Zero blog, Stone mentioned that vulnerabilities come in the form of a JIT vulnerability to a source error cache. This led researchers to study how exploits developed, so they could conclude how the vulnerabilities occurred. Project Zero mentions that hackers used Chrome Freetype’s zero-day exploitation method. This scenario presents information that Google has discovered about the obfuscation methods used, as well as the vulnerability in the iOS kernel privilege.

Google researchers also collected a complete string to compromise Windows 10 systems through the Chrome browser. Two partial strings targeting Android devices running Android 10 were also identified: “These flaws are being executed with the use of Samsung Browser and Chrome. The latter is the RCE exploit focused on iOS 11 and iOS 13”.

Below is a list of the security flaws exploited by this hacker group:

  • CVE-2020-15999: Buffer overflow in Chrome Freetype
  • CVE-2020-17087: Windows heap buffer overflow
  • CVE-2020-16009: Type confusion in Google Chrome
  • CVE-2020-16010: Chrome heap buffer overflow for Android
  • CVE-2020-27930: Safari arbitrary stack Read/Write via Type 1 fonts
  • CVE-2020-27950: Disclosure of iOS XNU kernel memory in mach message advances
  • CVE-2020-27932: Confusion of iOS kernel type

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.