Apple on Thursday moved to patch three zero-day vulnerabilities actively exploited in the wild that security researchers believe are the work of commercial spyware vendors.
This now means Apple has fixed 16 zero-days this year, which security researchers said demonstrates that the popularity of Apple products has made it an attractive target.
In advisories, Apple credited Bill Marczak of The Citizen Lab at The University of Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group for bringing the latest zero-days to their attention.
“A total of 16 zero-day vulnerabilities in a year is significant,” said Callie Guenther, senior manager, cyber threat research at Critical Start. “Zero-days, by definition, are previously unknown and unpatched vulnerabilities that can be exploited. This high number could suggest that Apple devices, given their popularity and extensive user base, are attractive targets for advanced threat actors.”
Guenther also noted the fact that many of these vulnerabilities were discovered by groups such as the Citizen Lab and Google's Threat Analysis Group, which often focus on state-sponsored and high-level cyber-espionage campaigns, suggests that Apple devices are being targeted in sophisticated attacks against high-profile individuals.
For example, following a report Sept. 7 by Citizen Lab that an actively exploited zero-click vulnerability was used to deliver NSO Group’s Pegasus mercenary spyware on an Apple device, Apple quickly moved to issue two CVEs to rectify the issue.
The Pegasus spyware developed and distributed by the NSO Group has been widely used by both the private and government sectors across the globe for surveillance purposes against journalists, human and civil rights activists, politicians and other individuals.
The zero-days patched yesterday by Apple include the following:
- CVE-2023-41993: WebKit browser vulnerabilities. Critical Start’s Guenther said given that WebKit powers Apple's Safari browser and many iOS apps, a flaw allowing arbitrary code execution can be highly impactful. Malicious web pages can directly impact a broad range of users and potentially compromise sensitive data. NIST reported that this issue was fixed in iOS 16.7 and iPadOS 16.7, iOS 17.0.1 and iPadOS 17.0.1, and Safari 16.6.1.
- CVE-2023-41991: Security Framework Vulnerability. The ability to bypass signature validation for apps is of high concern, said Guenther. Signature validation ensures the authenticity and integrity of apps. Bypassing this means malicious apps could masquerade as legitimate ones, potentially deceiving users and other software checks. NIST reported this issue was fixed in iOS 16.7 and iPadOS 16.7, iOS 17.0.1 and iPadOS 17.0.1, and Safari 16.6.1.
- CVE-2023-41992: Kernel Framework Vulnerability. Privilege escalation flaws in the kernel are particularly severe, said Guenther. They can allow a threat actor who has gained initial access to a system (often with limited permissions) to gain higher privileges, possibly even root or administrative access. This can lead to full system compromise. NIST reported this issue was fixed in iOS 16.7 and iPadOS 16.7, OS 17.0.1 and iPadOS 17.0.1, watchOS 9.6.3, macOS Ventura 13.6, macOS Monterey 12.7, and watchOS 10.0.1.
Ken Westin, Field CISO at Panther Labs, added that these new zero-day vulnerabilities appear to be tied to commercial spyware vendors exploiting zero-day vulnerabilities. Westin said there’s a disturbing rise in the use of zero-day vulnerabilities and corresponding exploits being utilized by commercial spyware vendors.
“The great work by Citizen Lab and Google in reporting these vulnerabilities to Apple indicates that these vulnerabilities have been exploited in the wild,” said Westin. “The work that’s being done to expose these vulnerabilities that are being exploited by commercial spyware vendors is also raising the cost of doing business for spyware vendors. When a particular vulnerability is used by commercial spyware vendors they now run the risk of their zero-day exploit being burned, so may only be able to leverage the exploit within a small window of time.”
Apple introduced critical security patches
Michael Covington, vice president of Portfolio Strategy at Jamf, said it’s helpful to remember that Apple updated its software release process just earlier this year. In the previous model, Covington said new features, bug fixes and patches were all introduced under a single release. This new model separates critical security patches from functional updates, which lets Apple stay more nimble with how they address vulnerabilities that are being actively exploited by attackers.
Covington said this new security patch process, delivered under the name of Rapid Security Response (RSR), lets Apple distribute much smaller pieces of code on a more regular basis, as the need arises.
“Given the attention Apple platforms are getting as they grow in popularity, it's not surprising that there are more vulnerabilities discovered and exploited,” said Covington. “Regardless, the new RSR model is a good thing for the industry, as it allows a vendor to rapidly correct bugs without worrying about including feature updates in the same codebase.”