Security News > 2023 > September > Apple squashes security bugs after iPhone flaws exploited by Predator spyware

Apple squashes security bugs after iPhone flaws exploited by Predator spyware
2023-09-22 19:58

Apple has emitted patches this week to close security holes that have been exploited in the wild by commercial spyware.

We've just learned today that the Predator spyware sold by Intellexa used these vulnerabilities to infect at least one target's iPhone.

Each bug, according to Apple, "May have been actively exploited against versions of iOS before iOS 16.7," meaning so far it's only aware that certain versions of iOS have been attacked.

MacOS Monterey 12.7: CVE-2023-41992 [advisory] macOS Ventura 13.6: CVE-2023-41991 and CVE-2023-41992 [advisory] watchOS 9.6.3: CVE-2023-41991 and CVE-2023-41992 [advisory] watchOS 10.0.1: CVE-2023-41991 and CVE-2023-41992 [advisory] iOS 16.7 and iPadOS 16.7: CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993, iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later) [advisory] iOS 17.0.1 and iPadOS 17.0.1: CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993 [advisory] Safari 16.6.1: CVE-2023-41993 [advisory].

Just as we were writing up this article, Google got back to us with this advisory by Stone, who said Intellexa's Predator snoopware abused the bugs on iOS to infect at least one iPhone.

According to the Googler, the web giant and Citizen Lab - which are both openly concerned about commercial spyware - discovered and reported evidence of this exploitation last week to Apple to address.


News URL

https://go.theregister.com/feed/www.theregister.com/2023/09/22/apple_emergency_patches/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-09-21 CVE-2023-41993 Improper Check for Unusual or Exceptional Conditions vulnerability in multiple products
The issue was addressed with improved checks.
8.8
2023-09-21 CVE-2023-41992 Improper Check for Unusual or Exceptional Conditions vulnerability in Apple Iphone OS and Macos
The issue was addressed with improved checks.
local
low complexity
apple CWE-754
7.8
2023-09-21 CVE-2023-41991 Improper Certificate Validation vulnerability in Apple Iphone OS and Macos
A certificate validation issue was addressed.
local
low complexity
apple CWE-295
5.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Apple 72 238 1567 2279 265 4349