Apple has released updates to its iOS 14 and iPadOS 14 operating systems that address a number of vulnerabilities. The most dangerous of these allow an attacker to elevate privileges on a device and ultimately gain the ability to arbitrarily execute code.
In total, Apple has fixed 11 product and component issues, including AppleAVD, Apple Keyboard, WebKit, and Siri.
A vulnerability (CVE-2020-9959) in the Siri voice assistant allows a user with physical access to the iPhone to view the contents of notifications from the lock screen. Another issue relates to specially crafted 3D Pixar files called Universal Scene Description (USD), which allow an attacker to execute arbitrary code on certain iOS device models.
One of the most dangerous issues is the privilege escalation vulnerability (CVE-2020-9992) in Apple Xcode, affecting all versions of Apple iOS and iPadOS older than 13.7. The vulnerability could be exploited if an attacker tricked the victim into opening a specially crafted file.
"An attacker could exploit this vulnerability to execute arbitrary code on a paired device during a network debugging session," explained experts at IBM X-Force.