Unfortunately, this time we don't know any details because Google—the only company that has the whole story behind these bugs—has not said much at all about how it found the bugs, who was using them, and whom they were being used against. Notably, an update pushed to iOS 12 (which is two years old) patched the issue on phones dating back to the iPhone 5s and iPhone 6. Often, when updates are pushed to such old devices it means the bug is particularly bad, but, again, we do not know the specifics at this time."The fact that they updated iPhone 6 users means it was bad," said a cybersecurity expert who asked not to be named because he wasn't allowed to speak to the press. "That phone has been end of life for a while."
"This feels like spy shit."
Apple did not respond to requests for comment. A Microsoft spokesperson said in an email that the company “released security updates in November to address CVE-2020-17087. Customers who have applied the updates, or have automatic updates enabled, are protected.” The company also said that it has not seen evidence of exploitation in the wild. Ben Hawkes, the head of Google Project Zero, the internet giant's team of skilled hackers that is tasked with the mission of finding vulnerabilities in all kinds of software—not just Google's—announced on Twitter over the last 10 days that his team had found all these vulnerabilities (seven in total.) On Oct. 20, Google disclosed the first bug (CVE-2020-15999) in this series of vulnerabilities, a bug in FreeType, an open source font rendering software, was used to target Chrome, according to Hawkes. Then, on Oct. 30, the first bug (CVE-2020-17087) to gather more attention in the press was a Windows bug that allowed hackers to escalate system privileges, meaning the hackers could jump from having control of one app to taking control of the whole victim's system.
Do you have any information on these vulnerabilities, or the hackers who used them? We'd love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, on Wickr at lorenzofb, OTR chat at email@example.com, or email firstname.lastname@example.org.