"Expert" Hackers Used 11 0-Days to Infect Windows, IOS, and Android Users
upstart writes in with an IRC submission:
"Expert" hackers used 11 0-days to infect Windows, iOS, and Android users:
A team of advanced hackers exploited no fewer than 11 zero-day vulnerabilities in a nine-month campaign that used compromised websites to infect fully patched devices running Windows, iOS, and Android, a Google researcher said.
Using novel exploitation and obfuscation techniques, a mastery of a wide range of vulnerability types, and a complex delivery infrastructure, the group exploited four zero-days in February 2020. The hackers' ability to chain together multiple exploits that compromised fully patched Windows and Android devices led members of Google's Project Zero and Threat Analysis Group to call the group "highly sophisticated."
On Thursday, Project Zero researcher Maddie Stone said that, in the eight months that followed the February attacks, the same group exploited seven more previously unknown vulnerabilities, which this time also resided in iOS. As was the case in February, the hackers delivered the exploits through watering-hole attacks, which compromise websites frequented by targets of interest and add code that installs malware on visitors' devices.
[...] The seven zero-days were:
- CVE-2020-15999 - Chrome Freetype heap buffer overflow
- CVE-2020-17087 - Windows heap buffer overflow in cng.sys
- CVE-2020-16009 - Chrome type confusion in TurboFan map deprecation
- CVE-2020-16010 - Chrome for Android heap buffer overflow
- CVE-2020-27930 - Safari arbitrary stack read/write via Type 1 fonts
- CVE-2020-27950 - iOS XNU kernel memory disclosure in mach message trailers
- CVE-2020-27932 - iOS kernel type confusion with turnstiles
Wikipedia has a good description of a Zero-day(0-day) vulnerability.
Read more of this story at SoylentNews.