Apple fixes 3 zero-day vulnerabilities exploited to compromise iPhones

Apple has released updates for iOS and iPadOS, macOS, watchOS, and Safari to fix three zero-day vulnerabilities (CVE-2023-41992, CVE-2023-41991, CVE-2023-41993) exploited “against versions of iOS before iOS 16.7.”

Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group have been credited with reporting them, so the flaws have probably been used to deploy spyware.

The patched zero-days (CVE-2023-41992, CVE-2023-41991, CVE-2023-41993)

CVE-2023-41992, in the Kernel framework, allows a local attacker to elevate privileges.

CVE-2023-41991, in the Security framework can be exploited by a malicious app to bypass signature validation.

CVE-2023-41993, in the WebKit browser engine, could be triggered by processing specially crafted web content and can lead to arbitrary code execution.

The released iOS/iPad 17.0.1 and 16.7 versions have patches for all three; the Safari update just for the WebKit flaw; watchOS 10.0.1, 9.6.3 and macOS Ventura 13.6 have patches for the Kernel and Security vulnerability; and macOS Monterey 12.7 only for the Kernel one (though for both macOS versions, additional CVE entries are coming soon).

Recent zero-days flagged by Citizen Lab

Earlier this month, Apple closed two zero-day vulnerabilities (CVE-2023-41064, CVE-2023-41061) that have been chained together by attackers to deliver NSO Group’s Pegasus spyware. Both were reported by The Citizen Lab.

A few days later, Google pushed out a security update for a Chrome zero-day vulnerability (CVE-2023-4863) exploited in the wild. The vulnerability is in the WebP image library, and has been reported by Apple Security Engineering and Architecture (SEAR) and The Citizen Lab. (Mozilla fixed the same flaw in Firefox, Firefox ESR, and Thunderbird the same day.)

Ben Hawkes, previously with Google’s Project Zero and now Isosceles (a security consulting company he founded), says that CVE-2023-4863 and CVE-2023-41064 may be the same flaw.

CVE-2023-41064 is a buffer overflow vulnerability in the ImageI/O framework, and can be triggered with a maliciously crafted image.

“But we do know that ImageIO recently began to support WebP files, and we know that on September 6 (one day before the iOS/macOS security bulletin), Apple’s security team reported a WebP vulnerability to Chrome that was urgently patched (just 5 days after the initial report) and marked by Google as ‘exploited in the wild’. Based on this, it seems likely that [CVE-2023-41064] and CVE-2023-4863 are the same bug,” he noted.

He also said that CVE-2023-4863 has been patched correctly in the libwebp library, it will take likely a while for it to be implemented in all the software that uses it.

Improved Lockdown Mode in iOS 17

Apple has released iOS 17 this week, and with it some updates to Lockdown Mode, which offers specialized protection to users at risk of highly targeted cyberattacks (e.g., state-sponsored mercenary spyware such as Pegasus).

Lockdown Mode now also works on Apple Watch, removes the geolocation data from photos by default, and prevents devices from joining insecure Wi-Fi networks and 2G cellular networks.

UPDATE: September 22, 2023 – 11:08 AM PT

Google’s Threat Analysis Group (TAG) has published a blog post outlining how the three Apple zero-days have been chained to deliver Intellexa’s Predator malware to iOS devices of targets.

“The attacker also had an exploit chain to install Predator on Android devices in Egypt. TAG observed these exploits delivered in two different ways: the MITM injection and via one-time links sent directly to the target. We were only able to obtain the initial renderer remote code execution vulnerability for Chrome, which was exploiting CVE-2023-4762,” the researchers said.

UPDATE: September 25, 2023 – 03:00 AM PT

The Citizen Lab has published a detailed technical rundown on how the spyware delivery attack against Egyptian presidential hopeful Ahmed Eltantawy has been executed.

“As with the BLASTPASS zero-click exploit we recently disclosed, we believe, and Apple’s Security Engineering and Architecture team has confirmed to us, that Lockdown Mode blocks this particular attack,” Citizen Lab researchers noted.

“Therefore, we encourage all Mac, iPhone, and iPad users who may face increased risk because of who they are or what they do to enable Lockdown Mode.”