Eleven zero-day vulnerabilities were exploited on Android, iOS and Windows
Google admitted on its Project Zero blog that there were eleven zero-day vulnerabilities that hackers had exploited in the past nine months. Several operating systems were affected: In addition to Android, Apple iOS and Windows 10. Part of the attacks were infected websites, which then aimed to compromise the relevant systems.
In some cases, several exploits were combined with one another. Four of the zero-day vulnerabilities, which were initially unknown to the manufacturers, were already exploited in February 2020. As a result, devices with Android and Windows that were up to date could be attacked. The responsible hackers are said to have been very experienced. After the first attacks in February 2020, seven other security vulnerabilities were then silently exploited by the same group. This time iOS was added as a welcome target. Here, too, one worked with websites which could then smuggle in malware.
The above graphic shows you the rather complicated process. The attacks were carried out using the Chrome, Samsung and Safari browsers. The following security gaps are listed, which served as gateways:
CVE-2020-15999 – Chrome Freetype heap buffer overflow
CVE-2020-17087 – Windows heap buffer overflow in cng.sys
CVE-2020-16009 – Chrome type confusion in TurboFan map deprecation
CVE-2020-16010 – Chrome for Android heap buffer overflow
CVE-2020-27930 – Safari arbitrary stack read / write via Type 1 fonts
CVE-2020-27950 – iOS XNU kernel memory disclosure in mach message trailers
CVE-2020-27932 – iOS kernel type confusion with turnstiles
It is an open question which group was responsible and which group might have had the attacks. So it is not clear who exactly was attacked. What is extreme about the attacks is that a high level of specialist knowledge was required and that it would not have helped the users to install all the latest security updates. Maybe some more detailed information will follow in the next few weeks and months.