Apple squashes security bugs after iPhone flaws exploited by Predator spyware

Apple emitted patches this week to close security holes that have been exploited in the wild by commercial spyware.

The updates, which were issued yesterday and should be installed as soon as possible if not already, address as many as three CVE-listed flaws. We've just learned today that the Predator spyware sold by Intellexa used these vulnerabilities to infect at least one target's iPhone.

The bugs are:

1. CVE-2023-41991: According to Apple, "a malicious app may be able to bypass signature validation," and was fixed by correcting "a certificate validation issue."
2. CVE-2023-41992: This is a kernel-level privilege escalation hole that was fixed "with improved checks." This can be abused by rogue applications and users to gain the necessary privileges to take full control of a device.
3. CVE-2023-41993: Apple said "processing web content may lead to arbitrary code execution," which again was addressed "with improved checks." A maliciously crafted webpage could exploit this when someone browses that page on a vulnerable device. We could see these bugs being chained together: a webpage could inject code that elevates its privileges to kernel level to take over a system, for instance.

Each bug, according to Apple, "may have been actively exploited against versions of iOS before iOS 16.7." However, due to the way the iGiant's various products share various bits of the same code, it's not just iPhones and iOS that are vulnerable: other Apple gear is affected and ought to be patched so that further exploitation is prevented.

Here's what's affected by the above flaws that Apple is willing to patch up:

• macOS Monterey 12.7: CVE-2023-41992 [advisory]
• macOS Ventura 13.6: CVE-2023-41991 and CVE-2023-41992 [advisory]
• watchOS 9.6.3: CVE-2023-41991 and CVE-2023-41992 (Affecting Apple Watch Series 4 and later) [advisory]
• watchOS 10.0.1: CVE-2023-41991 and CVE-2023-41992 (Affecting Apple Watch Series 4 and later) [advisory]
• iOS 16.7 and iPadOS 16.7: CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993 (Affecting iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later) [advisory]
• iOS 17.0.1 and iPadOS 17.0.1: CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993 (Affecting iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later) [advisory]
• Safari 16.6.1: CVE-2023-41993 (Affecting macOS Big Sur and Monterey) [advisory]

Those security holes were, Apple said, found and privately reported to the Mac giant by Bill Marczak of The Citizen Lab at The University of Toronto's Munk School in Canada, and by Maddie Stone of Google's Threat Analysis Group (TAG).

We asked Google and Citizen Lab for more information about potential or actual exploitation of these bugs, such as how people's devices are being attacked.

Just as we were writing up this article, Google got back to us with this advisory by Stone, who said Intellexa's Predator snoopware abused the bugs on iOS to infect at least one iPhone.

According to the Googler, the web giant and Citizen Lab – which are both openly concerned about commercial spyware – discovered and reported evidence of this exploitation last week to Apple to address.

We're told that if a customer of Intellexa wished to target a netizen for surveillance, that target's non-secure HTTP traffic would be somehow intercepted in a man-in-the-middle attack so that their iPhone's Safari browser would be silently redirected to servers operated by the spyware's vendor. If the visitor was determined to be the desired target, those servers would then return pages that would exploit CVE-2023-41993 in the iPhone's browser to achieve remote code execution.

Then CVE-2023-41991 would be used to bypass pointer authentication code (PAC) protections, which use cryptographic signatures in the upper bits of memory pointers to thwart certain kinds of exploits. We're promised a detailed write-up later from Google if you're interested in how that works.

Finally, CVE-2023-41992 is used to gain execution within the OS kernel, and a small payload is run to again check that the target is the correct one and if so, bring in the main Predator executable, which would then have full run of the phone, allowing it to steal data and snoop on the user for Intellexa's client.

• Grab those updates: Microsoft flings out fixes for already-exploited bugs
• That critical vulnerability might not be the first you should patch
• Patch now? Why enterprise exploits are still partying like it's 1999

Intellexa was added to the US entity list in July as a national security threat, making it hard for the European biz to do business with America and its allies.

"This campaign is yet another example of the abuses caused by the proliferation of commercial surveillance vendors and their serious risk to the safety of online users," Stone wrote today.

"TAG will continue to take action against, and publish research about, the commercial spyware industry, as well as work across the public and private sectors to push this work forward.

"We would like to acknowledge and thank The Citizen Lab for their collaboration and partnership in the capturing and analysis of these exploits, and Apple for deploying a timely patch for the safety of online users."

She also urged people to use secure HTTPS rather than insecure HTTP where possible, as that would help prevent the aforementioned redirects.

That's not all as Stone revealed that Google had also noticed someone installing Predator "on Android devices in Egypt" using an exploit chain. One bug in that chain was CVE-2023-4762, a flaw in Chrome that was patched on September 5 – following a separate bug report from a researcher – and had been earlier used by Predator as a zero-day.

Finally, from Apple there is a security-level update for iOS 17.0.2 for iPhone 15 that has no details or CVEs assigned to it. ®