Apple has distributed an emergency iOS update that fixes three "zero-day" security flaws already used by hackers to attack iPhones, iPads, and iPods. iDevices must be updated to iOS 14.2 and iPadOS 14.2.

"Apple is aware of reports of exploits for this issue in the wild," the company said in an Apple security advisory released today (November 5) next to the description of each flaw.

Apple does not call these "zero-day" flaws, but that is what they are. Vulnerabilities are attacked by hackers before defenders have a chance to fix them.

The flaws affect the iOS/iPadOS font parser and the iOS/iPadOS kernel. The font parser flaw "may lead to arbitrary code execution" when "maliciously crafted fonts are processed," which means they can be hacked, according to Apple's advisory.

In the case of the second flaw, "malicious applications may be able to disclose kernel memory."

The third flaw "could allow a malicious application to ...... kernel privileges to execute arbitrary code," which is pretty much a complete system takeover.

The update to iOS and iPadOS 14.2 fixes 21 other security flaws.

Apple also upgraded iOS 12 to version 12.4.9 and three zero-day on devices that cannot run iOS 14, including iPhone 5s, 6, 6 Plus, iPad Air, iPad mini 2, iPad mini 3, 6th generation iPod touch flaw and one older FaceTime flaw were fixed.

Reading between the lines, one can vaguely see the outlines of a multi-stage attack cascading these three flaws that are being actively exploited. [Second, a malicious app and one kernel flaw are used to steal passwords, and third, a malicious app and another kernel flaw are used to install more malware.

And this sounds like a state-sponsored attack on specially selected targets. China, for example, has conducted similar attacks on both iOS and Android devices to spy on Tibetan and Uyghur dissidents.

Money-grubbing criminal groups could also do this, but they usually find it better to stick to phishing attacks, adware, and other low-hanging fruit. [These three flaws were discovered by very busy researchers at Google Project Zero.

Project Zero researchers have discovered two zero-day flaws in Chrome and Chromium-based browsers and one in Windows in recent weeks.

All of these flaws are also being actively exploited; the Windows flaw has not yet been patched, but would not work without one of the Chrome flaws.