Apple releases patches for 3 iOS zero-days that hackers used for targeted attacks

Two of the bugs affect the kernel, in the core of the device’s operating system.
iOS kernel exploits
Google's Project Zero discovered three critical iOS bugs (Pexels)

Apple has issued fixes for three critical bugs in its software for iPhones, iPads and iPods that could allow an attacker to burrow into the inner sanctum of a device’s operating system and steal data. The researchers who found the flaws said that attackers were actively exploiting them.

Two of the bugs affect the kernel, the core of the device’s operating system which handles interactions between hardware and software. Controlling the kernel essentially gives an attacker free rein over a device’s operating system and the data stored in it. Apple users are protected if they update their software, which the company encouraged them to do on Thursday.

Project Zero, Google’s team of security researchers that found the vulnerabilities, said malicious hackers exploited the flaws in targeted attacks, but did not disclose the victims or perpetrators. Shane Huntley, of Google’s Threat Analysis Group, said the activity was not related to the U.S. election.

Vulnerabilities in iPhone software are coveted by spies and criminals alike because of the popularity of the phones around the world, and the resources Apple spends protecting them. Apple has increasingly turned to outside researchers to report vulnerabilities in its software. The tech giant last year expanded its bug bounty program, promising up to $1.5 million to researchers for the most sensitive of iOS exploits.


This is not the first interaction between Apple and Project Zero over high-profile iOS vulnerabilities. Project Zero researchers last year said malicious hackers were spying on thousands of users using a batch of iOS bugs. Apple tried to downplay the hacking campaign, but did confirm attackers targeted the Uighur community in China, a largely Muslim population under mass surveillance by the Chinese government.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts