Apple on Wednesday released emergency security patches on a new zero-day, the 17th it has reported this year.
The zero-day – CVE-2023-42824 – a privilege escalation issue that resides in the Kernel, was discovered attacking both iPhone and iPad devices. In its advisory, Apple said it was aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6.
The increased frequency of attacks on Apple devices – the last Apple zero-day SC reported was on September 22 – has caused some alarm, but some security researchers say the attackers are not necessarily singling out Apple.
“While it may appear as if Apple has been the focus, many of the Apple zero-day exploits are based in open source software that’s used by many vendors, including Microsoft and Google, explained Bud Broomhead, chief executive officer at Viakoo. “Instead of thinking of this as ‘yet another’ Apple zero-day, it should be thought of as ‘yet another’ open source zero-day.”
Broomhead added that with conflicts raging like the Russia-Ukraine war that have a significant cyber focus, spillover from the battlefield to private business and individuals will happen. Broomhead said the growth of spyware such as Pegasus into the private sector has been one element that’s fueling the growth of zero-days into consumer products like Apple.
Many of the new zero-days targeting Apple have been vulnerabilities exploited by commercial spyware vendors, explained Ken Westin, Field CISO at Panther Labs. Westin said the spyware vendors rely on these exploits to deploy their spyware to unsuspecting targets. However, once used against a target, Westin said they essentially play their hand and researchers from Citizen Lab, Google, and others have identified the vulnerabilities being exploited and notify Apple to patch them.
“Less than ethical researchers can make quite a bit of money selling the exploits to these companies,” Westin said. “There’s an increase in demand for spyware by authoritarian regimes, although the commercial spyware vendors say they only sell to certain countries for certain uses, it has been proven several times that it’s often not the case and the spyware gets used to target dissidents, journalists and political rivals. Companies like NSO Group have been blacklisted by the U.S. government and are under increased pressure at home and abroad, but other spyware vendors have come into the market.”
Here's which devices to check
According to Apple, the vulnerability impacts the following devices: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later.
Apple also patched CVE-2023-5217 on Wednesday, a heap buffer overflow issue in WebRTC that could result in arbitrary code execution. The company addressed the vulnerability by updating to libvpx 1.13.1. The vulnerability was discovered by security researcher Clément Lecigne from Google’s Threat Analysis Group (TAG), an actively exploited flaw Google released security updates for last week.
Kern Smith, mobile security expert at Zimperium, added that mobile devices are now high-value targets for attackers, regardless of platform. Smith said vendors such as Apple have made commendable efforts in responding to these type of attacks with their security patches and updates. However, because of the return on investment for mobile exploits on both iOS and Android, Smith said attackers are highly motivated to find any method of exploitation they can, and will continue to do so.
“We have seen a drastic increase of mobile attacks targeting all platforms year over year, including not just device exploits, but also malware, and OS agnostic attacks like phishing, smishing, and QR code attacks,” said Smith. “Mobile devices are the primary endpoint for both personal, and professional use, and are being targeted accordingly.”