Apple has emitted patches this week to close security holes that have been exploited in the wild by commercial spyware.
The updates, which were issued yesterday and should be installed as soon as possible if not already, address as many as three CVE-listed flaws. We've just learned today that the Predator spyware sold by Intellexa used these vulnerabilities to infect at least one target's iPhone.
The bugs are:
Each bug, according to Apple, "may have been actively exploited against versions of iOS before iOS 16.7," meaning so far it's only aware that certain versions of iOS have been attacked. Due to the way the iGiant shares code among its products, though, products other than iOS are vulnerable and ought to be updated to prevent any further exploitation.
Here's what's affected by the above flaws that Apple is willing to patch up:
Those security holes were, Apple said, found and privately reported to the Mac giant by Bill Marczak of The Citizen Lab at The University of Toronto's Munk School in Canada, and by Maddie Stone of Google's Threat Analysis Group (TAG).
We asked Google and Citizen Lab for more information about potential or actual exploitation of these bugs, such as how people's devices are being attacked.
Just as we were writing up this article, Google got back to us with this advisory by Stone, who said Intellexa's Predator snoopware abused the bugs on iOS to infect at least one iPhone.
According to the Googler, the web giant and Citizen Lab – which are both openly concerned about commercial spyware – discovered and reported evidence of this exploitation last week to Apple to address.
We're told that if a customer of Intellexa wished to target a netizen for surveillance, that target's non-secure HTTP traffic would be somehow intercepted in a man-in-the-middle attack so that their iPhone's Safari browser would be silently redirected to servers operated by the spyware's vendor. Those servers would then return pages that would exploit CVE-2023-41993 in the iPhone's browser to achieve remote code execution.
Then CVE-2023-41991 would be used to bypass the device's pointer authentication code (PAC) protections that use cryptographic signatures in the upper bits of memory pointers to hopefully thwart certain kinds of exploits, such as those that would be used for CVE-2023-41993. We're promised a detailed write-up later from Google if you're interested in how that works.
Finally, CVE-2023-41992 is used to gain execution within the OS kernel and its high privileges, and a small payload is run to bring in the main Predator executable, which would then have full run of the phone, allowing it to steal data and snoop on the user for Intellexa's client.
Intellexa was added to the US entity list in July as a national security threat, making it hard for the European biz to do business with America and its allies.
"This campaign is yet another example of the abuses caused by the proliferation of commercial surveillance vendors and their serious risk to the safety of online users," Stone wrote today.
"TAG will continue to take action against, and publish research about, the commercial spyware industry, as well as work across the public and private sectors to push this work forward.
"We would like to acknowledge and thank The Citizen Lab for their collaboration and partnership in the capturing and analysis of these exploits, and Apple for deploying a timely patch for the safety of online users."
She also urged people to use secure HTTPS rather than insecure HTTP where possible, as that would help prevent the aforementioned redirects.
That's not all as Stone revealed that Google had noticed someone installing Predator "on Android devices in Egypt." One way that software nasty got onto the equipment is via CVE-2023-4762, a flaw in Chrome that was patched on September 5 and had been used by Predator as a zero-day.
Finally, from Apple there is a security-level update for iOS 17.0.2 for iPhone 15 that has no details or CVEs assigned to it. ®
Some readers ask us if they can support The Register through some kind of subscription. The best way to back El Reg and keep our journalism flowing is to spread the word on social media, tell a colleague, sign up for a Register account and our newsletters, and comment away on articles.
Find and share us on Bluesky, LinkedIn, and Twitter. Tip us off with news. And thank you for reading.
Source: The register