Hackers used 7 zero-days, compromised websites to infiltrate iOS

Detailed in a blog post by Google's Project Zero team, the hacks began in February 2020 and continued for at least eight months, spanning a wide range of techniques, vulnerability types and attack vectors.

As reported by ArsTechnica, the first four zero-days targeted Android and Windows machines running Chrome. The hacking team broadened its scope over the following eight months to include seven vulnerabilities that impacted iOS and Safari. Watering-hole sites were used to distribute different exploits tailored to the visiting device and web browser.

Beyond discovering and exploiting the zero-days, the hacking group was able to quickly deploy new attacks after security patches were applied. This flexibility illustrates not only a deep well of available vulnerabilities, but also the hackers' skill level, the report says.

"Overall each of the exploits themselves showed an expert understanding of exploit development and the vulnerability being exploited. In the case of the Chrome Freetype 0-day, the exploitation method was novel to Project Zero," wrote Project Zero researcher Maddie Stone. "The process to figure out how to trigger the iOS kernel privilege vulnerability would have been non-trivial. The obfuscation methods were varied and time-consuming to figure out."

Project Zero detected the following zero-days in October: Chrome Freetype heap buffer overflow, Windows heap buffer overflow in cng.sys, Chrome type confusion in TurboFan map deprecation, Chrome for Android heap buffer overflow, Safari arbitrary stack read/write via Type 1 fonts, iOS XNU kernel memory disclosure in mach message trailers, and iOS kernel type confusion with turnstiles.

As noted by ArsTechnica, the chain of exploits was required to break through layers of defenses built into modern operating systems.

Apple regularly issues updates to patch security holes in iOS, the latest of which arrived with iOS 14.4.1 on March 8.