Apple fixes three vulnerabilities found by spyware researchers

Apple has once again moved to lock down zero-day vulnerabilities uncovered by researchers specialising in commercial spyware and government surveillance, issuing a new patch for iPhone and Mac devices on Thursday 21 September.

The update covers CVE-2023-2023-41991, CVE-2023-41992 and CVE-2023-41993 in iOS, and CVE-2023-41991 and CVE-2023-41992 in macOS Ventura. Between them, these cover iPhone XS and later, iPad Pro 12.9 inch 2^nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1^st generation and later, iPad Air 3^rd generation and later, iPad 6^th generation and later, iPad mini 5th generation and later.

The first vulnerability, CVE-2023-41991, is a certificate validation issue that grants a malicious app the ability to bypass signature validation. The second, CVE-2023-41992, is an elevation of privilege (EoP) vulnerability affecting the device kernel. The third, CVE-2023-41993, affects the WebKit browser engine and enables a threat actor to achieve arbitrary code execution if the user can be lured to a malicious website.

Apple gave little further detail on any of these issues beyond stating it was “aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7”.

All three vulnerabilities are credited to Maggie Stone of the Google Threat Analysis Group (TAG) and Bill Marczak of The Citizen Lab at the University of Toronto’s Munk School.

This is the latest in a string of vulnerabilities in Apple devices disclosed by The Citizen Lab, a specialist research unit probing commercial spyware and government surveillance.

The involvement of The Citizen Lab in general suggests that the issue in question has been exploited by clients of commercial (also often referred to as mercenary) spyware makers, which tend to be government agencies spying on persons of interest.

In this case, The Citizen Lab has alleged that the vulnerabilities have been chained by the developer of the Predator spyware, which is produced by Cytrox, a North Macedonia based-developer that has been sanctioned by the US government and banned from Meta’s platforms. Cytrox has been linked to people closely associated with the disgraced spyware developer NSO Group, and former Israeli intelligence operatives.

In new intelligence published in the wake of Apple’s disclosure, The Citizen Lab said it found the exploit chain had been used to target Egyptian politician Ahmed Eltantawy after he declared his intention to run for President in upcoming elections.

The researchers said that Eltantawy was first targeted with Cytrox via links sent on SMS and WhatsApp. Then, in August and September of 2023, his Vodafone Egypt mobile connection was targeted via network injection when Eltantawy was automatically redirected to a site not using HTTPS encryption, where the malicious payload infected his device.

Even reckoning without their abuse by the private spyware sector, Klaus Schenk, senior vice-president of security and threat research at Verimatrix, said the impact of the vulnerabilities should make them highly concerning to any user regardless of their likelihood of being targeted for snooping.

“Privilege escalation, arbitrary code execution, and especially remote exploitable arbitrary code execution rank among the most dangerous issues for any computing system,” said Schenk. “It’s reassuring that Apple has not yet disclosed technical details of the attack vectors. Keeping that information private significantly reduces the risk of widespread exploits, since threat actors have less information to engineer effective attacks.

“For remote code execution to occur, a user would need to visit a website specifically crafted to leverage these vulnerabilities and distribute malicious code. With details undisclosed, the number of sites currently capable of mounting such an attack is likely very low.

“That said, Apple customers should immediately install these emergency security updates to protect themselves against potential targeted attacks. Timely patching is critical, as threat actors will eventually reverse engineer the fixes to understand the underlying flaws. By updating promptly, users ensure their devices cannot be compromised by attacks exploiting these particular zero-day vulnerabilities,” he said.

Users concerned about their own susceptibility to commercial spyware may wish to consider enabling Apple’s on-board Lockdown Mode, which is known to block this infection chain and others identified by The Citizen Lab.