Just days after the milestone iOS 17 rollout, Apple is rushing to patch a new round of flaws said to be potentially exploited by threat actors.
In the never-ending cat-and-mouse game with malicious actors, Apple this week addresses three new vulnerabilities across an array of products, including the iPhone and iPad, Macs, and the company’s flagship wearable, the Apple Watch.
“A local attacker may be able to elevate their privileges,” a Kernel flaw tracked as CVE-2023-41992 is described. “Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.”
A second bug, listed in the “Security” department and tracked as CVE-2023-41991, is described as follows: “A malicious app may be able to bypass signature validation.” This issue is also thought to be actively exploited in the wild.
The third flaw (CVE-2023-41993), found in the WebKit web rendering engine shared between the vast array of products sold by the Cupertino company, is said to let the bad guys to carry out “arbitrary code execution,” meaning a threat actor can exploit it to run malware on the target device.
The bugs were reported by Bill Marczak of The Citizen Lab at The University of Toronto's Munk School, and Maddie Stone of Google's Threat Analysis Group.
The Citizen Lab is well known for its crusade against mercenary spyware, an ever-growing threat in the iOS ecosystem, despite Apple’s efforts to secure the platform against hackers.
While the advisories don’t say who is exploiting the flaws or why, the narrative is almost identical to instances involving spyware.
Two weeks ago, Apple was alerted to similar bugs being exploited in the wild by threat actors wielding NSO Group’s infamous Pegasus spyware. The company was quick to issue the patches to its user base, including backporting the fixes to older-generation devices.
As highlighted in our macOS Threat Report presented at Black Hat USA 2023, Apple in recent years has found it increasingly necessary to patch actively exploited vulnerabilities in its platforms. Moreover, spyware vendors are intensifying their focus on iOS, which shares many components with macOS. As a result, cybercriminals are better positioned to target Macs with this plague.
iOS 17.0.1 and iPadOS 17.0.1 are available for those who’ve already made the jump to Apple’s new mobile OS this week. For users still holding off the upgrade, iOS 16.7 and iPadOS 16.7 are available with the same critical fixes inside.
Two of the flaws were also found on the desktop front. Mac users can fend off exploitation of these vulnerabilities by installing macOS Ventura 13.6 and macOS Monterey 12.7.
watchOS 10.0.1 and watchOS 9.6.3 include the same important fixes for Apple Watch users.
The full list of updates available for your various Apple gizmos can be found at https://support.apple.com/en-gb/HT201222.
Most attacks exploiting unpatched bugs on Apple platforms are highly-targeted, but Bitdefender strongly recommends making all security updates a priority as the vendor makes them available.
When in doubt, use the trusty Lockdown Mode available from iOS 16 and macOS Ventura onwards. And consider using a dedicated security solution on your iPhone and Mac, to fend off the wider palette of threats out there.