Apple patched three zero-day vulnerabilities Thursday in iOS 17.0.1 and iPadOS 17.0.1 that Apple said "may have been actively exploited against versions of iOS before iOS 16.7."
According to an advisory published by Apple, CVE-2023-41992 is a kernel flaw that could allow an attacker to elevate privileges; CVE-2023-41991 enables "a malicious app" to bypass signature validation; and CVE-2023-41993 is a WebKit bug that enables a threat actor maliciously "processing web content" to execute code arbitrarily.
Apple said vulnerable devices include the following: "iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, iPad mini 5th generation and later."
All three vulnerabilities were credited in the advisory to Bill Marczak of Citizen Lab at the University of Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group. Citizen Lab earlier this month reported the discovery of CVE-2023-41064, an actively exploited zero-click, zero-day iOS vulnerability that NSO Group used to deliver its Pegasus spyware.
In their report, Citizen Lab researchers explained that CVE-2023-41064 was used in a new NSO exploit chain, which they dubbed "Blastpass." Apple discovered and patched another zero-day vulnerability, CVE-2023-41061, that was used in the Blastpass exploit.
Citizen Lab has reported a large number of zero-days used by the spyware vendor over the years, including those involving Apple products. Apple sued NSO Group for its cyber attacks against Apple users in late 2021.
TechTarget Editorial asked Apple if the three flaws disclosed Thursday were used by a spyware vendor such as NSO Group, but the tech giant declined to comment.
Update 9/22/2023: Citizen Lab published new research Friday that attributed exploitation of the three Apple zero-day flaws to Cytrox's Predator spyware. According to Citizen Lab researchers, Ahmed Eltantawy, a former member of the Egyptian Parliament, was targeted by Predator spyware between May and September 2023. "The targeting took place after Eltantawy publicly stated his plans to run for President in the 2024 Egyptian elections," the report said.
According to Citizen Lab, Eltantawy contacted the organization because of cybersecurity concerns regarding his phone. The investigation revealed the existence of the new exploit chain and Predator spyware, which was injected into Eltantawy's phone from a Sandvine PacketLogic device that physically resided in Egypt. Based on the findings, Citizen Lab attributed the attack to the Egyptian government "with high confidence."
TechTarget Editorial has contacted Citizen Lab for additional information.
Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.