Article Details

Apple squashes security bugs after iPhone flaws exploited by Predator spyware. Holes in iOS, macOS and more fixed following tip off from Google, Citizen Lab. Apple emitted patches this week to close security holes that have been exploited in the wild by commercial spyware. The updates, which were issued yesterday and should be installed as soon as possible if not already, address as many as three CVE-listed flaws. We've just learned today that the Predator spyware sold by Intellexa used these vulnerabilities to infect at least one target's iPhone. The bugs are: Each bug, according to Apple, "may have been actively exploited against versions of iOS before iOS 16.7." However, due to the way the iGiant's various products share various bits of the same code, it's not just iPhones and iOS that are vulnerable: other Apple gear is affected and ought to be patched so that further exploitation is prevented. Here's what's affected by the above flaws that Apple is willing to patch up: Those security holes were, Apple said, found and privately reported to the Mac giant by Bill Marczak of The Citizen Lab at The University of Toronto's Munk School in Canada, and by Maddie Stone of Google's Threat Analysis Group (TAG). We asked Google and Citizen Lab for more information about potential or actual exploitation of these bugs, such as how people's devices are being attacked. Just as we were writing up this article, Google got back to us with this advisory by Stone, who said Intellexa's Predator snoopware abused the bugs on iOS to infect at least one iPhone. According to the Googler, the web giant and Citizen Lab – which are both openly concerned about commercial spyware – discovered and reported evidence of this exploitation last week to Apple to address. We're told that if a customer of Intellexa wished to target a netizen for surveillance, that target's non-secure HTTP traffic would be somehow intercepted in a man-in-the-middle attack so that their iPhone's Safari browser would be silently redirected to servers operated by the spyware's vendor. If the visitor was determined to be the desired target, those servers would then return pages that would exploit CVE-2023-41993 in the iPhone's browser to achieve remote code execution. Then CVE-2023-41991 would be used to bypass pointer authentication code (PAC) protections, which use cryptographic signatures in the upper bits of memory pointers to thwart certain kinds of exploits. We're promised a detailed write-up later from Google if you're interested in how that works. Finally, CVE-2023-41992 is used to gain execution within the OS kernel, and a small payload is run to again check that the target is the correct one and if so, bring in the main Predator executable, which would then have full run of the phone, allowing it to steal data and snoop on the user for Intellexa's client. Intellexa was added to the US entity list in July as a national security threat, making it hard for the European biz to do business with America and its allies. "This campaign is yet another example of the abuses caused by the proliferation of commercial surveillance vendors and their serious risk to the safety of online users," Stone wrote today. "TAG will continue to take action against, and publish research about, the commercial spyware industry, as well as work across the public and private sectors to push this work forward. "We would like to acknowledge and thank The Citizen Lab for their collaboration and partnership in the capturing and analysis of these exploits, and Apple for deploying a timely patch for the safety of online users." She also urged people to use secure HTTPS rather than insecure HTTP where possible, as that would help prevent the aforementioned redirects. That's not all as Stone revealed that Google had also noticed someone installing Predator "on Android devices in Egypt" using an exploit chain. One bug in that chain was CVE-2023-4762, a flaw in Chrome that was patched on September 5 – following a separate bug report from a researcher – and had been earlier used by Predator as a zero-day. Finally, from Apple there is a security-level update for iOS 17.0.2 for iPhone 15 that has no details or CVEs assigned to it. Tell your friends Some readers ask us if they can support The Register through some kind of subscription. The best way to back El Reg and keep our journalism flowing is to spread the word on social media, tell a colleague, sign up for a Register account and our newsletters, and comment away on articles. Find and share us on Bluesky, LinkedIn, and Twitter. Tip us off with news. And thank you for reading.