Apple has distributed an emergency iOS update that fixes three "zero-day" security flaws already used by hackers to attack iPhones, iPads, and iPods iDevices must be updated to iOS 142 and iPadOS 142

"Apple is aware of reports of exploits for this issue in the wild," the company said in an Apple security advisory released today (November 5) next to the description of each flaw

Apple does not call these "zero-day" flaws, but that is what they are Vulnerabilities are attacked by hackers before defenders have a chance to fix them

The flaws affect the iOS/iPadOS font parser and the iOS/iPadOS kernel The font parser flaw "may lead to arbitrary code execution" when "maliciously crafted fonts are processed," which means they can be hacked, according to Apple's advisory

In the case of the second flaw, "malicious applications may be able to disclose kernel memory"

The third flaw "could allow a malicious application to kernel privileges to execute arbitrary code," which is pretty much a complete system takeover

The update to iOS and iPadOS 142 fixes 21 other security flaws

Apple also upgraded iOS 12 to version 1249 and three zero-day on devices that cannot run iOS 14, including iPhone 5s, 6, 6 Plus, iPad Air, iPad mini 2, iPad mini 3, 6th generation iPod touch flaw and one older FaceTime flaw were fixed

Reading between the lines, one can vaguely see the outlines of a multi-stage attack cascading these three flaws that are being actively exploited [Second, a malicious app and one kernel flaw are used to steal passwords, and third, a malicious app and another kernel flaw are used to install more malware

And this sounds like a state-sponsored attack on specially selected targets China, for example, has conducted similar attacks on both iOS and Android devices to spy on Tibetan and Uyghur dissidents

Money-grubbing criminal groups could also do this, but they usually find it better to stick to phishing attacks, adware, and other low-hanging fruit [These three flaws were discovered by very busy researchers at Google Project Zero

Project Zero researchers have discovered two zero-day flaws in Chrome and Chromium-based browsers and one in Windows in recent weeks

All of these flaws are also being actively exploited; the Windows flaw has not yet been patched, but would not work without one of the Chrome flaws