Hackers used 7 zero-days, compromised websites to infiltrate iOS

in iOS edited March 2021
In what is being called a highly sophisticated attack, a group of hackers leveraged a total of 11 zero-day vulnerabilities and a host of compromised websites to infect fully patched devices running iOS, Windows and Android.


Detailed in a blog post by Google's Project Zero team, the hacks began in February 2020 and continued for at least eight months, spanning a wide range of techniques, vulnerability types and attack vectors.

As reported by ArsTechnica, the first four zero-days targeted Android and Windows machines running Chrome. The hacking team broadened its scope over the following eight months to include seven vulnerabilities that impacted iOS and Safari. Watering-hole sites were used to distribute different exploits tailored to the visiting device and web browser.

Beyond discovering and exploiting the zero-days, the hacking group was able to quickly deploy new attacks after security patches were applied. This flexibility illustrates not only a deep well of available vulnerabilities, but also the hackers' skill level, the report says.

"Overall each of the exploits themselves showed an expert understanding of exploit development and the vulnerability being exploited. In the case of the Chrome Freetype 0-day, the exploitation method was novel to Project Zero," wrote Project Zero researcher Maddie Stone. "The process to figure out how to trigger the iOS kernel privilege vulnerability would have been non-trivial. The obfuscation methods were varied and time-consuming to figure out."

Project Zero detected the following zero-days in October: Chrome Freetype heap buffer overflow, Windows heap buffer overflow in cng.sys, Chrome type confusion in TurboFan map deprecation, Chrome for Android heap buffer overflow, Safari arbitrary stack read/write via Type 1 fonts, iOS XNU kernel memory disclosure in mach message trailers, and iOS kernel type confusion with turnstiles.

As noted by ArsTechnica, the chain of exploits was required to break through layers of defenses built into modern operating systems.

Apple regularly issues updates to patch security holes in iOS, the latest of which arrived with iOS 14.4.1 on March 8.


  • Reply 1 of 7
    So, is the takeaway that I need to burn all my current hardware to the ground and buy new because I existed online in 2020?
  • Reply 2 of 7
    I work in tech and feel comfortable asserting I probably know more about technology than 99% of people … but then I read something like this and realize I am an absolute illiterate sitting duck compared to some people out there.
    appleseerpulseimagesmanfred zornkiehtanCloudTalkinbeowulfschmidtapplguywatto_cobra
  • Reply 3 of 7
    MplsPMplsP Posts: 3,681member
    So, is the takeaway that I need to burn all my current hardware to the ground and buy new because I existed online in 2020?
    yup. pretty much. And move to a cabin in Idaho.
    pulseimagesmanfred zornwatto_cobra
  • Reply 4 of 7
    xsmixsmi Posts: 138member
    So have the exploits been patched? 
  • Reply 5 of 7
    rcfarcfa Posts: 1,124member
    xsmi said:
    So have the exploits been patched? 
    And who are the hackers?
  • Reply 6 of 7
    mknelsonmknelson Posts: 923member
    rcfa said:
    xsmi said:
    So have the exploits been patched? 
    And who are the hackers?
    You may want to read the Ars article for more details: https://arstechnica.com/information-technology/2021/03/expert-hackers-used-11-zerodays-to-infect-windows-ios-and-android-users/

    Patched? Yes, but then the hackers deploy a different attack vector.

    Who? "Thursday’s post offered no details on the group responsible for the attacks. It would be especially interesting to know if the hackers are part of a group that’s already known to researchers or if it’s a previously unseen team. Also useful would be information about the people who were targeted."
  • Reply 7 of 7
    If these were watering hole attacks, would sure be nice to know what watering holes were taking advantage of these vulterabilities.
Sign In or Register to comment.