Cybercrime , Endpoint Security , Fraud Management & Cybercrime

Apple Issues Emergency Fix for Spyware-Style Zero-Days

Apple Recommends Immediate Updating Due to Extensive List of Affected Devices
Apple Issues Emergency Fix for Spyware-Style Zero-Days

Apple issued security updates to address two zero-day vulnerabilities being actively exploited in the wild and targeting iPads, Macs and iPhones.

See Also: Hunting Money Mules with a 360-Degree View of Identities

The vulnerabilities were tracked as CVE-2023-28205 and CVE-2023-28206. The fixes addressed the same security issues discovered by Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International's Security Lab, according to an Apple security bulletin.

The latest zero-days affect iPhone 8 and later, all models of iPad Pro, iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later and Macs running macOS Ventura.

"Two different bugs are addressed in these updates. Importantly, both vulnerabilities are described not only as leading to "arbitrary code execution," but also as 'actively exploited,' making them zero-day holes," Paul Ducklin, a security researcher at Sophos, said in a blog post.

Because of the out-of-bound write flaw, designated as CVE-2023-28206, in Apple’s IOSurfaceAccelerator display code, any iOS application may be able to execute arbitrary code with kernel privileges.

"This bug allows a booby-trapped local app to inject its own rogue code right into the operating system kernel itself," Ducklin said. "Kernel code execution bugs are inevitably much more serious than app-level bugs, because the kernel is responsible for managing the security of the entire system, including what permissions apps can acquire, and how freely apps can share files and data between themselves."

Out-of-bounds writing refers to writing data before the beginning or after the end of a buffer. "Typically, this can result in corruption of data, a crash or code execution," according to Mitre's Common Weakness Enumeration website.

While Apple said it is "aware of a report that this issue may have been actively exploited," it hasn't attributed such exploits to any specific cybercrime or nation-state group.

The other vulnerability, tracked as CVE-2023-28205, is present in the open-source web browser engine WebKit, which is used across iOS and Apple devices. WebKit is Apple's web content display subsystem. It said unpatched exposure to "maliciously crafted web content may lead to arbitrary code execution."

The WebKit vulnerability could give attackers control over a user's browser or any app that uses WebKit to render and display HTML content. The apps uses "WebKit to show you web page previews, display help text, or even just to generate a good-looking About screen," Ducklin said.

"Apple's own Safari browser uses WebKit, making it directly vulnerable to WebKit bugs. Additionally, Apple's App Store rules mean that all browsers on iPhones and iPads must use WebKit, making this sort of bug a truly cross-browser problem for mobile Apple devices," Ducklin said.

It's also possible attackers chained the two vulnerabilities together - for example, exploiting WebKit and using it to pivot to the kernel vulnerability.

A kernel-level bug relies on a booby-trapped app, which typically is a threat on its own against Apple devices, because of its strict App Store walled garden rule, making it hard for attackers to trick a victim into installing a rogue app.

Ducklin said a user won't go off-market and install an app from a secondary or unofficial source "even if you want to, so crooks would need to sneak their rogue app into the App Store first before they could attempt to talk you into installing it. But when attackers can combine a remote browser-busting bug with a local kernel-busting hole, they can sidestep the App Store problem entirely."

That is the case with this bug, Ducklin said. The first bug tracked as CVE-2023-28205 allows attackers to take over a phone's browser app remotely - at which point attackers have a booby-trapped app that they can use to exploit the second bug tracked as CVE-2023-28206 to take over the entire device.

"And remember that because all App Store apps with web display capabilities are required to use WebKit, the CVE-2023-28205 bug affects you even if you have installed a third-party browser to use instead of Safari," Ducklin added.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.