A new version of iOS and iPadOS fixes a zero-day bug exploited by hackers
The bug could be part of some infamous commercial spyware targeting iOSBy Alfonso Maruccia
The big picture: iOS devices are often targeted by both cyber-criminals and "commercial" spyware makers for surveillance operations, data theft and other malicious activities. A hacker simply needs to find a security bug in WebKit like the one Apple fixed with its latest updates for iPhone and iPad operating systems to get going.
Apple has released an updated version of iOS and iPadOS, both of which were affected by a couple of dangerous security flaws. One of the flaws is already being exploited by unknown cyber-criminals "in the wild," we're told. Considering the people Apple is thanking for the release, the aforementioned flaw could also be part of some well-known spyware systems being sold to the most dangerous organizations (and foreign states) in the world.
Information about the two fixed bugs is included in the notes about the "security content" of iOS 16.3.1 and iPadOS 16.3.1. Known as CVE-2023-23514, the first vulnerability is described as a "use after free issue" which was addressed with improved memory management. A malicious app designed to exploit the bug could execute arbitrary code with kernel privileges, Apple warned.
The second vulnerability is known as CVE-2023-23529, and it is by far the most dangerous one. It is described as a "type confusion issue" in the WebKit browser engine that could be used to craft a malicious web page for executing arbitrary code. Apple said it is aware that the issue "may have been actively exploited already," which actually means that security researchers likely told the company the zero-day security vulnerability is already part of some malicious campaign against iPhone and iPad users.
Apple thanked Xinru Chi (Pangu Lab) and Ned Williamson (Google Project Zero) for discovering CVE-2023-23514, and an anonymous researcher for pointing them to CVE-2023-23529. Furthermore, Cupertino acknowledged the help they got from The Citizen Lab at The University of Toronto's Munk School with the flaws.
The Citizen Lab group is well known for their research work against dangerous "hacking tools" made by NSO Group and sold to government agencies and police forces worldwide. The Israeli company is infamous for creating Pegasus, a multi-platform spyware software designed to exploit zero-day flaws like CVE-2023-23529 for smartphone-based surveillance operations.
According to several reports, Pegasus has been used to target human rights activists and journalists, for state espionage in Pakistan, and for domestic surveillance against Israeli citizens. It also played a role in the murder of Jamal Khashoggi by agents of the Saudi government.
Considering the involvement of Pegasus hunters at Citizen Lab, and the fact that Apple is tight-lipped on the issue for the time being, CVE-2023-23529 could very much be yet another weapon discovered in the powerful arsenal of commercial spyware and surveillance tools routinely abused to target dissidents in every part of the world.