web analytics

Apple Issues Emergency Fix for Spyware-Style Zero Days

Rate this post

Cybercrime
,
Endpoint Security
,
Fraud Management & Cybercrime

Apple Recommends Immediate Updating Due to Extensive List of Affected Devices

Prajeet Nair (@prajeetspeaks) •
April 8, 2023    

Apple Issues Emergency Fix for Spyware-Style Zero Days

Apple issued security updates to address two zero-day vulnerabilities being actively exploited in the wild and targeting iPads, Macs and iPhones.

See Also: Webinar | The Evolution of Network Architecture: What You Don’t Know Can Hurt You

The vulnerabilities were tracked as CVE-2023-28205 and CVE-2023-28206. The fixes addressed the same security issues discovered by Clement Lecigne of Google’s Threat Analysis Group and Donncha O Cearbhaill of Amnesty International’s Security Lab, according to an Apple security bulletin.

The latest zero-days affect iPhone 8 and later, all models of iPad Pro, iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later and Macs running macOS Ventura.

“Two different bugs are addressed in these updates. Importantly, both vulnerabilities are described not only as leading to “arbitrary code execution,” but also as “actively exploited,” making them zero-day holes,” Paul Ducklin, a security researcher at Sophos, said in a blog post.

Because of the out-of-bound write flaw, designated as CVE-2023-28206 in in Apple’s IOSurfaceAccelerator display code, any iOS application may be able to execute arbitrary code with kernel privileges.

“This bug allows a booby-trapped local app to inject its own rogue code right into the operating system kernel itself,” Ducklin said. “Kernel code execution bugs are inevitably much more serious than app-level bugs, because the kernel is responsible for managing the security of the entire system, including what permissions apps can acquire, and how freely apps can share files and data between themselves.”

Out-of-bounds writing refers to writing data before the beginning or after the end of a buffer. “Typically, this can result in corruption of data, a crash or code execution,” according to Mitre’s Common Weakness Enumeration website.

While Apple says it is “aware of a report that this issue may have been actively exploited,” it hasn’t attributed such exploits to any specific cybercrime or nation-state group.

The other vulnerability, tracked as CVE-2023-28205, is present in the open-source web browser engine WebKit, which is used across iOS and Apple devices. WebKit is Apple’s web content display subsystem. It says unpatched exposure to “maliciously crafted web content may lead to arbitrary code execution.”

The WebKit vulnerability could give attackers control over a user’s browser or any app that uses WebKit to render and display HTML content. The apps uses “WebKit to show you web page previews, display help text, or even just to generate a good-looking About screen,” Ducklin says.

“Apple’s own Safari browser uses WebKit, making it directly vulnerable to WebKit bugs. Additionally, Apple’s App Store rules mean that all browsers on iPhones and iPads must use WebKit, making this sort of bug a truly cross-browser problem for mobile Apple devices,” Ducklin says.

It’s also possible attackers chained the two vulnerabilities together – for example, exploiting WebKit and using it to pivot to the kernel vulnerability.

A kernel-level bug relies on a booby-trapped app, which typically is much of a threat on its own against Apple devices, because of its strict App Store “walled-garden” rule, making it hard for attackers to trick a victim into installing a rogue app.

Ducklin says a user won’t go off-market and install an app from a secondary or unofficial source “even if you want to, so crooks would need to sneak their rogue app into the App Store first before they could attempt to talk you into installing it. But when attackers can combine a remote browser-busting bug with a local kernel-busting hole, they can sidestep the App Store problem entirely.”

That is the case with this bug here, Ducklin said. The first bug tracked as CVE-2023-28205 allows attackers to take over phone’s browser app remotely – at which point attackers have a booby-trapped app that they can use to exploit the second bug tracked as CVE-2023-28206 to take over entire device.

“And remember that because all App Store apps with web display capabilities are required to use WebKit, the CVE-2023-28205 bug affects you even if you have installed a third-party browser to use instead of Safari,” Ducklin added.

Views: 0

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post