UPDATE - Two weeks after fixing a pair of zero day flaws, Apple has issued more patches addressing actively exploited vulnerabilities that impact various versions of macOS, iOS, iPadOS and watchOS.
On Thursday, the company fixed a trio of bugs, which each exist in different Apple components. One flaw (CVE-2023-41992) stems from Apple’s kernel framework, and could enable a local attacker to gain elevated privileges. Apple said this issue was addressed with improved checks. The second flaw (CVE-2023-41991) exists in Apple's security framework and could allow a malicious app to bypass signature validation. Meanwhile, the third flaw in Apple’s WebKit web browser engine (CVE-2023-41993) could lead to arbitrary code execution when certain web content is processed. The latter flaw was addressed through improved checks, according to Apple.
Apple said it "is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7,” according to its security update for all three flaws on Thursday.
The three flaws impact various versions of Apple products, including Phone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, iPad mini 5th generation and later; iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later; as well as macOS Ventura. Additionally, CVE-2023-41992 and CVE-2023-41991 impact the Apple Watch Series 4 and later, and CVE-2023-41992 impacts macOS Monterey.
The flaws have been fixed in iOS and iPadOS 16.7 and iOS and iPadOS 17.0.1, as well as watchOS 10.0.1 and 9.6.3, macOS Ventura 13.6 and macOS Monterey 12.7. Apple also pushed out a fix for CVE-2023-41993 in Safari 16.6.1 for macOS Big Sur and Monterey.
All three bugs were discovered by Bill Marczak of the Citizen Lab and Maddie Stone of Google's Threat Analysis Group (TAG). Citizen Lab researchers, who often dig into attacks from commercial spyware companies, also led the charge in the discovery of the two Apple zero days earlier this month (CVE-2023-41064 and CVE-2023-41061), which they said are part of an exploit chain that was being used to deliver NSO Group’s Pegasus spyware.
On Friday, researchers said that the flaws were part of an exploit chain that was developed by commercial surveillance vendor Intellexa and was used to target individuals in Egypt. According to Google TAG's Stone, the exploit chain was delivered via a man-in-the-middle attack.
"In the case of this campaign, if the target went to any ‘http’ site, the attackers injected traffic to silently redirect them to an Intellexa site," said Stone. "If the user was the expected targeted user, the site would then redirect the target to the exploit server... While there’s a spotlight on '0-click' vulnerabilities (bugs that don’t require user interaction) this MITM delivery also didn’t require the user to open any documents, click a specific link, or answer any phone calls."
In addition to these flaws, Apple has rolled out fixes for other actively exploited bugs over the past year, including through an update addressing a WebKit flaw (CVE-2023-37450) impacting iOS, macOS and iPadOS in July and ones being used in targeted attacks in June.
This article was updated on Sept. 22 with further information about the zero-day exploit chain.