By Jack Phillips
Apple recently released emergency security patches for iPhones, iPads, MacBooks, and Apple Watches that target several “zero-day” vulnerabilities that could leave a device open to spyware.
According to several bulletins posted by Apple late last week, the security patches were rolled out for a number of products, including ones that use iOS and iPadOS 17.0.1, iOS and iPad OS 16.7, MacOS Ventura 13.6, MacOS Monterey 12.7, and WatchOS 10.0.1 and 9.6.3, among many others.
As usual, Apple released very few details about the security vulnerabilities or their exploits. “For the protection of our customers, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are generally available,” Apple says.
The emergency update targeted three issues: CVE-2023-41992, CVE-2023-41991, and CVE-2023-41993, Apple said. The third vulnerability affects “processing web content [that] may lead to arbitrary code execution” and “Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.”
The issues were found by Maddie Stone, a researcher at Google’s Threat Analysis Group, and Citizen Lab’s Bill Marczak, according to blog posts late last week. Both Citizen Lab and Google suggested that the latest Apple updates addressed an exploit where the Predator spyware was placed on the phone of an Egyptian presidential candidate.
“During our investigation, we worked with Google’s Threat Analysis Group to obtain an iPhone zero-day exploit chain (CVE-2023-41991, CVE-2023-41992, CVE-2023-41993) designed to install Predator on iOS versions through 16.6.1,” said Citizen Lab. “We also obtained the first stage of the spyware, which has notable similarities to a sample of Cytrox’s Predator spyware we obtained in 2021. We attribute the spyware to Cytrox’s Predator spyware with high confidence.”
Owners of iPhone, iPad, MacBook, and Apple Watch devices are urged to update their devices as soon as possible. For the iPhone and iPad, users are advised to go to Settings, then select General, tap Software Updates, and then tap the Update Now button.
Earlier in September, Apple sent out separate emergency patches for iOS and iPadOS 16, WatchOS 9.7, and MacOS Ventura 13.5. It said that like the recent bug, Citizen Lab also discovered zero-click vulnerabilities that were being used to deliver the Pegasus spyware, which is made by an Israeli company that can be used to surveil and steal users’ data.
Although the spyware can be difficult to locate, certain tools such as iVerify can be used to figure out whether the malware is on your phone or device. Some researchers have stated that restarting an iPhone or another smartphone model by turning it off and turning it back on can disrupt the spyware, noting that users often do not restart their phones.
According to various published reports, the Predator spyware was allegedly sold to a multitude of state-backed actors in Armenia, Egypt, Madagascar, Greece, Ivory Coast, Indonesia, and others. Last week, both Google and Citizen’s Lab found that Predator was found on the phone of former Egyptian lawmaker Ahmed Altantawy, described as a leading opposition party politician.
Citizen Lab said the effort likely failed because Mr. Altantawy had his phone in “lockdown mode,” which Apple recommends for iPhone users at high risk, including rights activists, journalists, and political dissidents in countries like Egypt.
Prior to that, Citizen Lab said, attempts were made beginning in May to hack Mr. Altantawy’s phone with Predator via links in SMS and WhatsApp messages that he would have had to click on to become infected.
Mr. Altantawy, family members, and supporters have complained of being harrassed, which led him to ask Citizen Lab researchers to analyze his phone for potential spyware infection.
Once infected, the Predator spyware turns a smartphone into a remote eavesdropping device and lets the attacker siphon off data.
Given that Egypt is a known customer of Predator’s maker, Cytrox, and the spyware was delivered via network injection from Egyptian soil, Citizen Lab said it had “high confidence” Egypt’s government was behind the attack.
“Because this attempt failed, the remnants of this zero-click exploit were left over on the phone,” Mr. Marczak said, reported TechCrunch. “In this case, the root of the vulnerability was a bug in Google’s WebP image library, which is integrated into the iPhone. Attackers found some way to exploit this to run arbitrary code within Apple’s iMessage sandbox to install spyware on the system.”
The Associated Press contributed to this report.